Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VBEhHxyHpJ.exe

Overview

General Information

Sample name:VBEhHxyHpJ.exe
renamed because original name is a hash value
Original sample name:48ef0b4fe2be5a3b34b2189b18e55e3da3c7b70a7d4dde814f7c4c8a5c314d20.exe
Analysis ID:1466951
MD5:f8296e0f8d3011b6655fe5baa9152b85
SHA1:2be45b7523ce8acb97eda3822c63060f4849daec
SHA256:48ef0b4fe2be5a3b34b2189b18e55e3da3c7b70a7d4dde814f7c4c8a5c314d20
Tags:exeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • VBEhHxyHpJ.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\VBEhHxyHpJ.exe" MD5: F8296E0F8D3011B6655FE5BAA9152B85)
    • powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 8180 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.212.81.159:5207:1", "Assigned name": "MGOG", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-RLNEHU", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.3839273642.0000000002C9E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6a470:$a1: Remcos restarted by watchdog!
            • 0x6a9d4:$a3: %02i:%02i:%02i:%03i
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.VBEhHxyHpJ.exe.3cfb088.2.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.VBEhHxyHpJ.exe.3cfb088.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.VBEhHxyHpJ.exe.3cfb088.2.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x68470:$a1: Remcos restarted by watchdog!
                • 0x689d4:$a3: %02i:%02i:%02i:%03i
                0.2.VBEhHxyHpJ.exe.3cfb088.2.unpackREMCOS_RAT_variantsunknownunknown
                • 0x624c4:$str_a1: C:\Windows\System32\cmd.exe
                • 0x62440:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x62440:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x62938:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x63168:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x62534:$str_b2: Executing file:
                • 0x635b4:$str_b3: GetDirectListeningPort
                • 0x62f58:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x630d8:$str_b7: \update.vbs
                • 0x6255c:$str_b9: Downloaded file:
                • 0x62548:$str_b10: Downloading file:
                • 0x625ec:$str_b12: Failed to upload file:
                • 0x6357c:$str_b13: StartForward
                • 0x6359c:$str_b14: StopForward
                • 0x63030:$str_b15: fso.DeleteFile "
                • 0x62fc4:$str_b16: On Error Resume Next
                • 0x63060:$str_b17: fso.DeleteFolder "
                • 0x625dc:$str_b18: Uploaded file:
                • 0x6259c:$str_b19: Unable to delete:
                • 0x62ff8:$str_b20: while fso.FileExists("
                • 0x62a71:$str_c0: [Firefox StoredLogins not found]
                0.2.VBEhHxyHpJ.exe.3cfb088.2.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x623b8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x6234c:$s1: CoGetObject
                • 0x62360:$s1: CoGetObject
                • 0x6237c:$s1: CoGetObject
                • 0x6c15e:$s1: CoGetObject
                • 0x6230c:$s2: Elevation:Administrator!new:
                Click to see the 15 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\VBEhHxyHpJ.exe", ParentImage: C:\Users\user\Desktop\VBEhHxyHpJ.exe, ParentProcessId: 7564, ParentProcessName: VBEhHxyHpJ.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 8180, ProcessName: RegAsm.exe
                Sigma detected: Suspicious Encoded PowerShell Command Line
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, CommandLine|base64offset|contains: CB, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VBEhHxyHpJ.exe", ParentImage: C:\Users\user\Desktop\VBEhHxyHpJ.exe, ParentProcessId: 7564, ParentProcessName: VBEhHxyHpJ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, ProcessId: 7736, ProcessName: powershell.exe
                Sigma detected: Suspicious Execution of Powershell with Base64
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, CommandLine|base64offset|contains: CB, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VBEhHxyHpJ.exe", ParentImage: C:\Users\user\Desktop\VBEhHxyHpJ.exe, ParentProcessId: 7564, ParentProcessName: VBEhHxyHpJ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, ProcessId: 7736, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, CommandLine|base64offset|contains: CB, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VBEhHxyHpJ.exe", ParentImage: C:\Users\user\Desktop\VBEhHxyHpJ.exe, ParentProcessId: 7564, ParentProcessName: VBEhHxyHpJ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==, ProcessId: 7736, ProcessName: powershell.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 8180, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: VBEhHxyHpJ.exeAvira: detected
                Found malware configuration
                Source: 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "103.212.81.159:5207:1", "Assigned name": "MGOG", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-RLNEHU", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: VBEhHxyHpJ.exeReversingLabs: Detection: 87%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3839273642.0000000002C9E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: VBEhHxyHpJ.exeJoe Sandbox ML: detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00432142 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,6_2_00432142
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_da4cc2b1-c

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00406B71 _wcslen,CoGetObject,6_2_00406B71
                Source: VBEhHxyHpJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: VBEhHxyHpJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0044D0F9 FindFirstFileExA,6_2_0044D0F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B0AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B2B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,6_2_0040B8C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00408909
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_2_0041AC0A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00408D1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,6_2_00407E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00406EB0 FindFirstFileW,FindNextFileW,6_2_00406EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_0040730B

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 103.212.81.159
                Source: global trafficTCP traffic: 192.168.2.9:49713 -> 103.212.81.159:5207
                Source: Joe Sandbox ViewIP Address: 103.212.81.159 103.212.81.159
                Source: Joe Sandbox ViewASN Name: KANTIPUR-AS-APKantipurPublicationPvtLtdNP KANTIPUR-AS-APKantipurPublicationPvtLtdNP
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: unknownTCP traffic detected without corresponding DNS query: 103.212.81.159
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004255BC recv,6_2_004255BC
                Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, VBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004098BB SetWindowsHookExA 0000000D,004098A7,000000006_2_004098BB
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_00415802
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_00415802
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,6_2_00415802
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004099E3 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,6_2_004099E3

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3839273642.0000000002C9E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041B35B SystemParametersInfoW,6_2_0041B35B

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_029BCB3C0_2_029BCB3C
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_029BF3B80_2_029BF3B8
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F63C880_2_06F63C88
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F65B680_2_06F65B68
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F7015C0_2_06F7015C
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F7124A0_2_06F7124A
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F711980_2_06F71198
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F731210_2_06F73121
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F708800_2_06F70880
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F709030_2_06F70903
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_07842AE80_2_07842AE8
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_078400400_2_07840040
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_07842AD80_2_07842AD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004370406_2_00437040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004361CE6_2_004361CE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004131DA6_2_004131DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0044C2496_2_0044C249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004322516_2_00432251
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004263516_2_00426351
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041C46D6_2_0041C46D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004264BA6_2_004264BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004366036_2_00436603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0043C76D6_2_0043C76D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004257196_2_00425719
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004347316_2_00434731
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004358BA6_2_004358BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004529D96_2_004529D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0043C99C6_2_0043C99C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041DA056_2_0041DA05
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00436A386_2_00436A38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00444AF06_2_00444AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0043CBCB6_2_0043CBCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00451BAB6_2_00451BAB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00425CA86_2_00425CA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00435DB66_2_00435DB6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0043CE286_2_0043CE28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0043307B appears 41 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402073 appears 50 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00433700 appears 54 times
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1595240301.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VBEhHxyHpJ.exe
                Source: VBEhHxyHpJ.exe, 00000000.00000000.1372982004.0000000000786000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuseeeeeeee.exe< vs VBEhHxyHpJ.exe
                Source: VBEhHxyHpJ.exeBinary or memory string: OriginalFilenameuseeeeeeee.exe< vs VBEhHxyHpJ.exe
                Source: VBEhHxyHpJ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: VBEhHxyHpJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/6@0/1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00416840 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,6_2_00416840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E991 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,6_2_0040E991
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041A003 FindResourceA,LoadResource,LockResource,SizeofResource,6_2_0041A003
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_004195A5
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VBEhHxyHpJ.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-RLNEHU
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iejrnzk4.p0x.ps1Jump to behavior
                Source: VBEhHxyHpJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: VBEhHxyHpJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: VBEhHxyHpJ.exeReversingLabs: Detection: 87%
                Source: unknownProcess created: C:\Users\user\Desktop\VBEhHxyHpJ.exe "C:\Users\user\Desktop\VBEhHxyHpJ.exe"
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: VBEhHxyHpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: VBEhHxyHpJ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: VBEhHxyHpJ.exeStatic file information: File size 1367040 > 1048576
                Source: VBEhHxyHpJ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x142a00
                Source: VBEhHxyHpJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,6_2_0041B4C9
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F6771F push es; retf 0_2_06F6771C
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F67254 push es; retf 0_2_06F6771C
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F67312 push es; retf 0_2_06F6771C
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeCode function: 0_2_06F785E0 push eax; ret 0_2_06F785E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00456328 push eax; ret 6_2_00456346
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0045C51D push esi; ret 6_2_0045C526
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00433746 push ecx; ret 6_2_00433759
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00455A06 push ecx; ret 6_2_00455A19
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00406524 ShellExecuteW,URLDownloadToFileW,6_2_00406524
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,6_2_004195A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,6_2_0041B4C9
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040ECEA Sleep,ExitProcess,6_2_0040ECEA
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,6_2_004192A3
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3263Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6543Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1840Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7694Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1771Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exe TID: 7584Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7208Thread sleep count: 192 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7208Thread sleep time: -96000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7232Thread sleep count: 1840 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7232Thread sleep time: -5520000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7232Thread sleep count: 7694 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7232Thread sleep time: -23082000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0044D0F9 FindFirstFileExA,6_2_0044D0F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,6_2_0040B0AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,6_2_0040B2B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,6_2_00418650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,6_2_0040B8C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00408909
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,6_2_0041AC0A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,6_2_00408D1B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,6_2_00407E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00406EB0 FindFirstFileW,FindNextFileW,6_2_00406EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,6_2_0040730B
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1595240301.0000000000E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                Source: VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                Source: RegAsm.exe, 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_6-47897
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00433304
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,6_2_0041B4C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00441B85 mov eax, dword ptr fs:[00000030h]6_2_00441B85
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00411241 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,6_2_00411241
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00433304
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0043A3F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00433452 SetUnhandledExceptionFilter,6_2_00433452
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_004338CC
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Encrypted powershell cmdline option found
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: Base64 decoded start-sleep -seconds 20
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: Base64 decoded start-sleep -seconds 20Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 457000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46F000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 475000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 476000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47C000Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3E008Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe6_2_0041163A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00418186 mouse_event,6_2_00418186
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Jump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: RegAsm.exe, 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: RegAsm.exe, 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX
                Source: RegAsm.exe, 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHU\
                Source: RegAsm.exe, 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ
                Source: RegAsm.exe, 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.drBinary or memory string: [Program Manager]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0043354D cpuid 6_2_0043354D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,6_2_0044716D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_00450558
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,6_2_004507D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,6_2_0045081B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,6_2_004508B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00450943
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,6_2_00450B93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,6_2_00446C84
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00450CBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,6_2_00450DC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,6_2_0040EE14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00450E90
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeQueries volume information: C:\Users\user\Desktop\VBEhHxyHpJ.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00404F31 GetLocalTime,CreateEventA,CreateThread,6_2_00404F31
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041A168 GetComputerNameExW,GetUserNameW,6_2_0041A168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00447A10 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,6_2_00447A10
                Source: C:\Users\user\Desktop\VBEhHxyHpJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3839273642.0000000002C9E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data6_2_0040AF8C
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\6_2_0040B0AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db6_2_0040B0AA

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-RLNEHUJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VBEhHxyHpJ.exe.3cfb088.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3839273642.0000000002C9E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VBEhHxyHpJ.exe PID: 7564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe6_2_0040567A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                Defacement
                CredentialsDomainsDefault Accounts1
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		11
                Deobfuscate/Decode Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol211
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                PowerShell                		Login Hook1
                Windows Service                		1
                Software Packing                		NTDS3
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script322
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets33
                System Information Discovery                		SSHKeylogging1
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Bypass User Account Control                		Cached Domain Credentials121
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc Filesystem3
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                VBEhHxyHpJ.exe88%ReversingLabsByteCode-MSIL.Backdoor.Remcos
                VBEhHxyHpJ.exe100%AviraHEUR/AGEN.1307565
                VBEhHxyHpJ.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                https://api.telegram.org/bot0%Avira URL Cloudsafe
                103.212.81.1590%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                103.212.81.159true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpRegAsm.exefalse
                • URL Reputation: safe
                		unknown
                https://api.telegram.org/botVBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/CVBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, VBEhHxyHpJ.exe, 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, VBEhHxyHpJ.exe, 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                103.212.81.159
                		unknownBangladesh
                		133923KANTIPUR-AS-APKantipurPublicationPvtLtdNPtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1466951
                Start date and time:2024-07-03 15:40:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 11s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:11
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:VBEhHxyHpJ.exe
                renamed because original name is a hash value
                Original Sample Name:48ef0b4fe2be5a3b34b2189b18e55e3da3c7b70a7d4dde814f7c4c8a5c314d20.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@6/6@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 233
                • Number of non-executed functions: 187
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: VBEhHxyHpJ.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                09:41:05API Interceptor42x Sleep call for process: powershell.exe modified
                09:41:58API Interceptor5151930x Sleep call for process: RegAsm.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                103.212.81.159Invoice-Debt-Payment Notice.exeGet hashmaliciousNjratBrowse
                  New_Inquiry-pls_quote_parts.exeGet hashmaliciousRemcosBrowse
                    4wHtxJJpDg.exeGet hashmaliciousRemcosBrowse
                      cmyta2qaJV.exeGet hashmaliciousRemcosBrowse
                        NvFed7hV6z.exeGet hashmaliciousRemcosBrowse
                          purchaseorder_-_2023-06-1522301.vbsGet hashmaliciousRemcosBrowse
                            rPROOFOFPAYMENT0224002039597720230205.exeGet hashmaliciousRemcos, GuLoaderBrowse
                              vxNpSHMsLN.exeGet hashmaliciousXpertRATBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                KANTIPUR-AS-APKantipurPublicationPvtLtdNPjurojarem2.1.exeGet hashmaliciousRemcosBrowse
                                • 103.212.81.158
                                SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.6876.765.rtfGet hashmaliciousRemcosBrowse
                                • 103.212.81.161
                                bk.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                • 103.212.81.158
                                pdMmg5rksj.exeGet hashmaliciouszgRATBrowse
                                • 103.212.81.156
                                xdaQo3Fb2E.exeGet hashmaliciousAveMaria, UACMeBrowse
                                • 103.212.81.154
                                Attachment-3_RFQ10004#U00b7pdf.vbeGet hashmaliciousNanocore, GuLoaderBrowse
                                • 103.212.81.160
                                UPS-49A829NDJWT#U00b7pdf.vbsGet hashmaliciousNanocore, GuLoaderBrowse
                                • 103.212.81.160
                                reference_Drawing_20230821.vbsGet hashmaliciousNanocore, GuLoaderBrowse
                                • 103.212.81.160
                                5YT1K8D4GH.exeGet hashmaliciousAzorult, zgRATBrowse
                                • 103.212.81.156
                                invoice.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                • 103.212.81.157

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\remcos\logs.dat

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):144
                                Entropy (8bit):3.3934082720720298
                                Encrypted:false
                                SSDEEP:3:rhlKlVEl7x5JWRal2Jl+7R0DAlBG45klovDl6v:6lVM15YcIeeDAlOWAv
                                MD5:E69C875C2C0E7C577E6331BCF4E86196
                                SHA1:78B09AC048DC878384B702A183678D19F0270516
                                SHA-256:7B9DE42EA46B7C22E7B693460103ED4DBAA78FAC810367507149B5AD617DF9CA
                                SHA-512:149F6CF8F11459A852A2C14E66F08BA75E656B18CC6890E2C8ED3A352D8040B264270083E22D8086346EA61BCE7D31D8E1FC1F5AA2D8644C2AC1F64D2C7964AA
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                Reputation:low
                                Preview:....[.2.0.2.4./.0.7./.0.3. .0.9.:.4.1.:.2.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VBEhHxyHpJ.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\VBEhHxyHpJ.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1771
                                Entropy (8bit):5.354626312265129
                                Encrypted:false
                                SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HOHKU57UjHKtHKMRr:Pq5qHwCYqh3oPtI6eqzxuqU57UjqtqMZ
                                MD5:67EBBC797EDDA9B138160D0CE427EBB5
                                SHA1:C620F4153A94387FC842AAAB70FC5917ED8733FA
                                SHA-256:60DE541770F801A877A00AAA8619037EDD57045201ED7DBFD078A6FCAB49F570
                                SHA-512:D18FEF2ACD03D47A0E2A85E8F79816FA4C6CD82802F4A373714401DC16BB5AB1C304A885446C6807022AD257AFA1161D3FC3EA16D1B0EB6EE1C89D6E4B74E540
                                Malicious:true
                                Reputation:low
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5829
                                Entropy (8bit):4.901113710259376
                                Encrypted:false
                                SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1510207563435464
                                Encrypted:false
                                SSDEEP:3:Nlllul9kLZ:NllUG
                                MD5:087D847469EB88D02E57100D76A2E8E4
                                SHA1:A2B15CEC90C75870FDAE3FEFD9878DD172319474
                                SHA-256:81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
                                SHA-512:4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e.................................,..............@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kkhf3d3.2cw.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iejrnzk4.p0x.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):6.25000326436593
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:VBEhHxyHpJ.exe
                                File size:1'367'040 bytes
                                MD5:f8296e0f8d3011b6655fe5baa9152b85
                                SHA1:2be45b7523ce8acb97eda3822c63060f4849daec
                                SHA256:48ef0b4fe2be5a3b34b2189b18e55e3da3c7b70a7d4dde814f7c4c8a5c314d20
                                SHA512:e40e264292f95cdb5d21d2a0381408891c4b593aaf51c66bcf0f5211cd1e22abfc857b137ab94b081f662249e459507d0dee47ca82df583765ec851dc4ebf1d4
                                SSDEEP:24576:uYHkJKcS6UH2qACNssMLuKCYUeM9eJr7TaQNf/Fduzy32:wZS12Ossveldy
                                TLSH:4C5502314B48FFAACABF0174D0A711A42EA36D6BCD14F3D7AD887D9A3576344A5108B3
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bd.................*...........H... ...`....@.. .......................@............`................................

                                File Icon

                                Icon Hash:2d525272484c550b

                                Static PE Info

                                General

                                Entrypoint:0x5448fa
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6462C688 [Mon May 15 23:55:52 2023 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00544908h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                fmul qword ptr [eax+14h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1448ac0x4c.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1460000xac16.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1520000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x1449080x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x1429100x142a009592de47ba88e3032508b288162eb1ddFalse0.707047898101511data6.166338149485559IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x1460000xac160xae0089fd4f979b2b34c6d11ecfd2c87d3113False0.2657372485632184data4.34560575790647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x1520000xc0x2005a7d0417a4716af49e057fa625c6f2fdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x1461a00x1dacPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9778830963665087
                                RT_ICON0x147f5c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m0.07853094000944733
                                RT_ICON0x14c1940x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.10020746887966805
                                RT_ICON0x14e74c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m0.14329268292682926
                                RT_ICON0x14f8040x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/m0.19795081967213116
                                RT_ICON0x15019c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m0.20035460992907803
                                RT_GROUP_ICON0x1506140x5adata0.7777777777777778
                                RT_VERSION0x15067e0x39edata0.4017278617710583
                                RT_MANIFEST0x150a2c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 3, 2024 15:41:26.161331892 CEST497135207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:26.166280985 CEST520749713103.212.81.159192.168.2.9
                                Jul 3, 2024 15:41:26.166400909 CEST497135207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:26.172282934 CEST497135207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:26.177146912 CEST520749713103.212.81.159192.168.2.9
                                Jul 3, 2024 15:41:47.523655891 CEST520749713103.212.81.159192.168.2.9
                                Jul 3, 2024 15:41:47.523714066 CEST497135207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:47.523818970 CEST497135207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:47.529983044 CEST520749713103.212.81.159192.168.2.9
                                Jul 3, 2024 15:41:48.536586046 CEST497145207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:48.546914101 CEST520749714103.212.81.159192.168.2.9
                                Jul 3, 2024 15:41:48.547007084 CEST497145207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:48.550770998 CEST497145207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:41:48.556139946 CEST520749714103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:09.912811041 CEST520749714103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:09.912883043 CEST497145207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:09.912991047 CEST497145207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:09.918142080 CEST520749714103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:10.926951885 CEST497165207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:10.933039904 CEST520749716103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:10.933156967 CEST497165207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:10.936624050 CEST497165207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:10.941860914 CEST520749716103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:32.293979883 CEST520749716103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:32.294058084 CEST497165207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:32.294104099 CEST497165207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:32.300513029 CEST520749716103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:33.302078009 CEST497175207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:33.350337982 CEST520749717103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:33.350430012 CEST497175207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:33.355231047 CEST497175207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:33.361394882 CEST520749717103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:54.741983891 CEST520749717103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:54.745209932 CEST497175207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:54.745209932 CEST497175207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:54.750191927 CEST520749717103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:55.755259037 CEST497185207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:55.760215044 CEST520749718103.212.81.159192.168.2.9
                                Jul 3, 2024 15:42:55.760303020 CEST497185207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:55.764715910 CEST497185207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:42:55.769824028 CEST520749718103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:17.149621964 CEST520749718103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:17.149679899 CEST497185207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:17.149729967 CEST497185207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:17.154694080 CEST520749718103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:18.162189960 CEST497195207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:18.168534040 CEST520749719103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:18.168670893 CEST497195207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:18.172399998 CEST497195207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:18.177831888 CEST520749719103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:39.543870926 CEST520749719103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:39.543970108 CEST497195207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:39.544080973 CEST497195207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:39.549727917 CEST520749719103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:40.552088022 CEST497205207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:40.557432890 CEST520749720103.212.81.159192.168.2.9
                                Jul 3, 2024 15:43:40.557522058 CEST497205207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:40.561325073 CEST497205207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:43:40.566334009 CEST520749720103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:01.930883884 CEST520749720103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:01.930958986 CEST497205207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:01.931025028 CEST497205207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:01.935945988 CEST520749720103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:02.942853928 CEST497215207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:02.947772026 CEST520749721103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:02.947846889 CEST497215207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:02.952455997 CEST497215207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:02.958072901 CEST520749721103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:24.306067944 CEST520749721103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:24.306189060 CEST497215207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:24.306225061 CEST497215207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:24.311053991 CEST520749721103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:25.317990065 CEST497225207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:25.325186014 CEST520749722103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:25.325251102 CEST497225207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:25.329022884 CEST497225207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:25.333903074 CEST520749722103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:46.805955887 CEST520749722103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:46.806080103 CEST497225207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:46.806080103 CEST497225207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:47.028229952 CEST520749722103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:47.028281927 CEST497225207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:47.029506922 CEST520749722103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:47.817789078 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:47.822803020 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:44:47.822889090 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:47.826730013 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:44:47.831723928 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:10.022953987 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:10.023010015 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:10.023086071 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:10.023554087 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:10.023597956 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:10.023971081 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:10.024005890 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:10.282244921 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:10.282299995 CEST497235207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:10.284298897 CEST520749723103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:11.177223921 CEST497245207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:11.182240009 CEST520749724103.212.81.159192.168.2.9
                                Jul 3, 2024 15:45:11.182746887 CEST497245207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:11.187148094 CEST497245207192.168.2.9103.212.81.159
                                Jul 3, 2024 15:45:11.192044973 CEST520749724103.212.81.159192.168.2.9

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:41:03
                                Start date:03/07/2024
                                Path:C:\Users\user\Desktop\VBEhHxyHpJ.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\VBEhHxyHpJ.exe"
                                Imagebase:0x640000
                                File size:1'367'040 bytes
                                MD5 hash:F8296E0F8D3011B6655FE5BAA9152B85
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1596002036.0000000003C19000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1596002036.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1595727475.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:09:41:04
                                Start date:03/07/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                Imagebase:0x240000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:09:41:04
                                Start date:03/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff70f010000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:09:41:25
                                Start date:03/07/2024
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Imagebase:0xab0000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3839273642.0000000002C9E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3839028995.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:14.1%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:19.2%
                                  Total number of Nodes:167
                                  Total number of Limit Nodes:8
                                  execution_graph 36776 29b4528 36777 29b4536 36776->36777 36780 29b3cf4 36777->36780 36779 29b453f 36781 29b3cff 36780->36781 36783 29b456d 36781->36783 36784 29b40d0 36781->36784 36783->36779 36785 29b40db 36784->36785 36788 29b40f0 36785->36788 36787 29b460d 36787->36783 36789 29b40fb 36788->36789 36792 29b4224 36789->36792 36791 29b46e2 36791->36787 36793 29b422f 36792->36793 36796 29b4254 36793->36796 36795 29b47f4 36795->36791 36797 29b425f 36796->36797 36798 29b7819 36797->36798 36801 29bc2e8 36797->36801 36806 29bc2f8 36797->36806 36798->36795 36802 29bc319 36801->36802 36803 29bc33d 36802->36803 36811 29bc4a8 36802->36811 36815 29bc465 36802->36815 36803->36798 36807 29bc319 36806->36807 36808 29bc33d 36807->36808 36809 29bc4a8 KiUserCallbackDispatcher 36807->36809 36810 29bc465 KiUserCallbackDispatcher 36807->36810 36808->36798 36809->36808 36810->36808 36812 29bc4b5 36811->36812 36813 29bc4ef 36812->36813 36820 29bb060 36812->36820 36813->36803 36816 29bc44d 36815->36816 36817 29bc4a2 36815->36817 36816->36803 36818 29bc4ef 36817->36818 36819 29bb060 KiUserCallbackDispatcher 36817->36819 36818->36803 36819->36818 36821 29bb06b 36820->36821 36822 29bd208 36821->36822 36824 29bc85c 36821->36824 36825 29bc867 36824->36825 36826 29b4254 KiUserCallbackDispatcher 36825->36826 36827 29bd277 36826->36827 36830 29bd2f0 36827->36830 36828 29bd286 36828->36822 36831 29bd31e 36830->36831 36832 29bd3ea KiUserCallbackDispatcher 36831->36832 36833 29bd3ef 36831->36833 36832->36833 36733 7843360 36734 7843520 36733->36734 36736 7843386 36733->36736 36735 78434eb 36735->36735 36736->36735 36739 78435e0 PostMessageW 36736->36739 36741 78435d8 36736->36741 36740 784364c 36739->36740 36740->36736 36742 78435e0 PostMessageW 36741->36742 36743 784364c 36742->36743 36743->36736 36622 29bc5c0 36623 29bc606 36622->36623 36624 29bc6f3 36623->36624 36627 29bcb99 36623->36627 36630 29bcba8 36623->36630 36633 29bc7fc 36627->36633 36631 29bcbd6 36630->36631 36632 29bc7fc DuplicateHandle 36630->36632 36631->36624 36632->36631 36634 29bcc10 DuplicateHandle 36633->36634 36635 29bcbd6 36634->36635 36635->36624 36744 29ba230 36748 29ba319 36744->36748 36756 29ba328 36744->36756 36745 29ba23f 36749 29ba339 36748->36749 36750 29ba35c 36748->36750 36749->36750 36764 29ba5b0 36749->36764 36768 29ba5c0 36749->36768 36750->36745 36751 29ba354 36751->36750 36752 29ba560 GetModuleHandleW 36751->36752 36753 29ba58d 36752->36753 36753->36745 36757 29ba339 36756->36757 36758 29ba35c 36756->36758 36757->36758 36762 29ba5b0 LoadLibraryExW 36757->36762 36763 29ba5c0 LoadLibraryExW 36757->36763 36758->36745 36759 29ba354 36759->36758 36760 29ba560 GetModuleHandleW 36759->36760 36761 29ba58d 36760->36761 36761->36745 36762->36759 36763->36759 36765 29ba5d4 36764->36765 36767 29ba5f9 36765->36767 36772 29b96b0 36765->36772 36767->36751 36769 29ba5d4 36768->36769 36770 29b96b0 LoadLibraryExW 36769->36770 36771 29ba5f9 36769->36771 36770->36771 36771->36751 36773 29ba7a0 LoadLibraryExW 36772->36773 36775 29ba819 36773->36775 36775->36767 36636 78419d8 36637 78419ee 36636->36637 36638 7841a10 36637->36638 36641 7841ba1 36637->36641 36647 7841bb0 36637->36647 36638->36638 36642 7841baa 36641->36642 36643 7841bcd 36641->36643 36642->36643 36653 78432f1 36642->36653 36669 7842ae8 36642->36669 36685 7842ad8 36642->36685 36643->36638 36648 7841bc7 36647->36648 36649 7841bcd 36648->36649 36650 78432f1 14 API calls 36648->36650 36651 7842ad8 14 API calls 36648->36651 36652 7842ae8 14 API calls 36648->36652 36649->36638 36650->36649 36651->36649 36652->36649 36655 7842b3c 36653->36655 36654 78430fa 36654->36643 36655->36654 36658 7842418 VirtualAllocEx WriteProcessMemory 36655->36658 36661 7842280 Wow64SetThreadContext 36655->36661 36662 7842288 Wow64SetThreadContext 36655->36662 36665 7842420 WriteProcessMemory 36655->36665 36668 7842509 WriteProcessMemory 36655->36668 36701 78425bc 36655->36701 36705 78425c8 36655->36705 36709 7842a08 36655->36709 36713 7842a01 36655->36713 36717 7842360 36655->36717 36721 7842358 36655->36721 36725 78421d0 36655->36725 36729 78421d8 36655->36729 36658->36655 36661->36655 36662->36655 36665->36655 36668->36655 36670 7842b15 36669->36670 36671 78430fa 36670->36671 36672 7842360 VirtualAllocEx 36670->36672 36673 7842418 VirtualAllocEx WriteProcessMemory 36670->36673 36674 7842358 VirtualAllocEx 36670->36674 36675 7842420 WriteProcessMemory 36670->36675 36676 7842509 WriteProcessMemory 36670->36676 36677 78425bc CreateProcessA 36670->36677 36678 78425c8 CreateProcessA 36670->36678 36679 7842280 Wow64SetThreadContext 36670->36679 36680 7842288 Wow64SetThreadContext 36670->36680 36681 7842a01 ReadProcessMemory 36670->36681 36682 7842a08 ReadProcessMemory 36670->36682 36683 78421d0 ResumeThread 36670->36683 36684 78421d8 ResumeThread 36670->36684 36671->36643 36672->36670 36673->36670 36674->36670 36675->36670 36676->36670 36677->36670 36678->36670 36679->36670 36680->36670 36681->36670 36682->36670 36683->36670 36684->36670 36686 7842ae6 36685->36686 36687 78430fa 36686->36687 36688 78425bc CreateProcessA 36686->36688 36689 78425c8 CreateProcessA 36686->36689 36690 7842a01 ReadProcessMemory 36686->36690 36691 7842a08 ReadProcessMemory 36686->36691 36692 78421d0 ResumeThread 36686->36692 36693 78421d8 ResumeThread 36686->36693 36694 7842360 VirtualAllocEx 36686->36694 36695 7842358 VirtualAllocEx 36686->36695 36696 7842420 WriteProcessMemory 36686->36696 36697 7842418 VirtualAllocEx WriteProcessMemory 36686->36697 36698 7842509 WriteProcessMemory 36686->36698 36699 7842280 Wow64SetThreadContext 36686->36699 36700 7842288 Wow64SetThreadContext 36686->36700 36687->36643 36688->36686 36689->36686 36690->36686 36691->36686 36692->36686 36693->36686 36694->36686 36695->36686 36696->36686 36697->36686 36698->36686 36699->36686 36700->36686 36702 7842651 CreateProcessA 36701->36702 36704 7842813 36702->36704 36704->36704 36706 7842651 CreateProcessA 36705->36706 36708 7842813 36706->36708 36708->36708 36710 7842a53 ReadProcessMemory 36709->36710 36712 7842a97 36710->36712 36712->36655 36714 7842a53 ReadProcessMemory 36713->36714 36716 7842a97 36714->36716 36716->36655 36718 78423a0 VirtualAllocEx 36717->36718 36720 78423dd 36718->36720 36720->36655 36722 78423a0 VirtualAllocEx 36721->36722 36724 78423dd 36722->36724 36724->36655 36726 7842218 ResumeThread 36725->36726 36728 7842249 36726->36728 36728->36655 36730 7842218 ResumeThread 36729->36730 36732 7842249 36730->36732 36732->36655

                                  Executed Functions

                                  Function 07842418 Relevance: 3.1, APIs: 2, Instructions: 108memoryinjectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078423CE
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078424B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: AllocMemoryProcessVirtualWrite
                                  • String ID:
                                  • API String ID: 645232735-0
                                  • Opcode ID: f78bade7f48e83ff3bd3b77f07237cc4326b1efcb9916d81458158c2ad1cff16
                                  • Instruction ID: 7ffc889d7fcfac6ad0cfe0eee000b0dce52b84e290c95390d08f95b0f3f7f6a9
                                  • Opcode Fuzzy Hash: f78bade7f48e83ff3bd3b77f07237cc4326b1efcb9916d81458158c2ad1cff16
                                  • Instruction Fuzzy Hash: A54137B290430D9FDB10CFAAC8457EEBBF1FF48310F10842AE959A7650C7B99555DBA0
                                  Function 07840040 Relevance: 2.1, Strings: 1, Instructions: 860COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 744 7840040-784005d 992 784005d call 7840007 744->992 993 784005d call 7840040 744->993 747 7840063-7840065 994 7840067 call 6f7fa90 747->994 995 7840067 call 6f7fa7f 747->995 748 784006c-7840083 752 7840154-784015d 748->752 753 7840089-78400a2 748->753 756 78400a4-78400b0 753->756 757 78400b2-78400e9 753->757 760 78400eb-78400f3 756->760 757->760 762 78400f5-78400fc 760->762 763 78400fe-7840101 760->763 766 7840131-784014d 762->766 764 7840103-784010a 763->764 765 784015e-7840199 763->765 768 78401a0-78401ec 764->768 769 7840110-7840128 764->769 765->768 766->752 783 78401ee-78401fb 768->783 784 784022b-784022d 768->784 769->765 781 784012a 769->781 781->766 790 7840225-7840229 783->790 791 78401fd-7840223 783->791 786 7840232-784023f 784->786 787 7840245-78402a9 786->787 788 78402ce-78402e6 786->788 833 78402c1 787->833 834 78402ab-78402bf 787->834 798 78403b0-78403cc 788->798 799 78402ec-7840308 788->799 790->786 791->786 809 78403d2-78403e1 798->809 810 784053a-7840556 798->810 807 784032c-7840335 799->807 808 784030a-7840319 799->808 822 784033d-784034c 807->822 817 784031f-784032a 808->817 818 7840709-7840730 808->818 809->818 819 78403e7-784040d 809->819 824 78406ac-78406ae 810->824 825 784055c-784056b 810->825 817->822 828 7840736-7840742 818->828 829 78407fd-7840822 818->829 856 7840413-784041f 819->856 857 784040f-7840411 819->857 837 7840361-784036d 822->837 838 784034e-784035a 822->838 830 78406b5-78406c7 824->830 825->818 843 7840571-7840597 825->843 845 7840744-7840752 828->845 846 7840753-784076c 828->846 875 7840829-784085e 829->875 847 7840701-7840708 830->847 848 78406c9-78406d6 830->848 842 78402c3-78402c9 833->842 834->842 853 7840383-78403ab 837->853 854 784036f-784037b 837->854 838->837 842->830 879 784059d-78405a9 843->879 880 7840599-784059b 843->880 876 784076e-784077b 846->876 877 784079f-78407b6 846->877 859 78406dd-78406df 848->859 853->830 854->853 861 7840426-7840428 856->861 857->861 859->847 865 78406e1-78406fa 859->865 863 7840462-7840499 861->863 864 784042a-7840445 861->864 904 78404a0-78404bb 863->904 891 7840447-7840449 864->891 892 784044b-7840457 864->892 865->847 906 7840866-78408c7 875->906 876->875 893 7840781-7840790 876->893 900 78407c0-78407f5 877->900 901 78407b8-78407bf 877->901 882 78405b0-78405b2 879->882 880->882 889 78405b4-78405eb 882->889 890 78405f2-784061e 882->890 889->890 930 7840620-7840639 890->930 931 7840658-78406aa 890->931 896 784045e-7840460 891->896 892->896 893->906 907 7840796-784079e 893->907 896->863 896->904 900->829 920 78404c1-78404cd 904->920 921 78404bd-78404bf 904->921 941 78408d0-7840b8f 906->941 925 78404d4-78404d6 920->925 921->925 927 7840516-7840535 925->927 928 78404d8-784050f 925->928 927->830 928->927 930->931 943 784063b-7840656 930->943 931->830 943->830 992->747 993->747 994->748 995->748
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |kIq
                                  • API String ID: 0-1117147423
                                  • Opcode ID: b2773005cd1b539fcf3c7019d225a64668e6ca4e51d083a08c19cbc0e219d5b2
                                  • Instruction ID: 96aed3bfe482c2ab82d6e1d2d8231a25812f0b41668cf4829985bf10b2e4a0ed
                                  • Opcode Fuzzy Hash: b2773005cd1b539fcf3c7019d225a64668e6ca4e51d083a08c19cbc0e219d5b2
                                  • Instruction Fuzzy Hash: 1B723B747002099FDB14EF74D994AAABBF2FF89310B1044A9E946DB3A1DB75EC06CB50
                                  Function 06F73121 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: y
                                  • API String ID: 0-4225443349
                                  • Opcode ID: 99a75e875339b45ed8dbefb62548485c3255e54b9ee158e994edbbfda3a237ab
                                  • Instruction ID: fd6b8616b7e335320803f59ba09aa48f81cef4a9da4459165f79c092599ce690
                                  • Opcode Fuzzy Hash: 99a75e875339b45ed8dbefb62548485c3255e54b9ee158e994edbbfda3a237ab
                                  • Instruction Fuzzy Hash: C491FA33F04645DFCB60CB68CC816AEBBB2AF85204F18C5A7D4AADB346C631D946D791
                                  Function 06F65B68 Relevance: .7, Instructions: 678COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3441644643ee293c3564031433dfcf53cf2658edd063683aa1504d2ff47d82bf
                                  • Instruction ID: 33a9ee8fe2d4139f6107fa1960d62b550b316acad1e9899bdfd0bb71b957328b
                                  • Opcode Fuzzy Hash: 3441644643ee293c3564031433dfcf53cf2658edd063683aa1504d2ff47d82bf
                                  • Instruction Fuzzy Hash: 1832EF35B143118FEB648B29D44AB6DBBF2FB85714F14856AF842CB391CB75D881CB82
                                  Function 07842AE8 Relevance: .6, Instructions: 596COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c8eeca7215b3e900d9ac2e02ef0d88defbb10506bd96d2801a6f9e06ec12567
                                  • Instruction ID: d1af9d04f169eeaa2b4108f5627fc80dd13172134d453bdc2c2416b5296d0ed0
                                  • Opcode Fuzzy Hash: 2c8eeca7215b3e900d9ac2e02ef0d88defbb10506bd96d2801a6f9e06ec12567
                                  • Instruction Fuzzy Hash: 40223F70B002199FDB18DFB9D850BAEB7B2BF84740F1485A9E80AEB390DF759D458B50
                                  Function 06F63C88 Relevance: .5, Instructions: 537COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa1e652ac02ba4398bcf29548c1440e8397ff8e35d8dd8c0b15d1a684ac44bf7
                                  • Instruction ID: 706d2a5d849721322a8c102ab09cbc288485bf77b611be9a3cc0576eccdbad0c
                                  • Opcode Fuzzy Hash: fa1e652ac02ba4398bcf29548c1440e8397ff8e35d8dd8c0b15d1a684ac44bf7
                                  • Instruction Fuzzy Hash: EB32B131E1035ACFDB54EF74C84469CBBB1FF95300F1186A9E849AB251EB34A989CF90
                                  Function 07842AD8 Relevance: .5, Instructions: 477COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9bae721510c7a984df468aa42fd7afbefd7049e3c6a8095801ca8e723a78d637
                                  • Instruction ID: 8dd9b7e5ec5b19eaa724bfdf7b5f81e02af42da7c5dff17c978094d594534292
                                  • Opcode Fuzzy Hash: 9bae721510c7a984df468aa42fd7afbefd7049e3c6a8095801ca8e723a78d637
                                  • Instruction Fuzzy Hash: BC025D70B002199FDB14DFB9C850BAEB7E2BF88350F248569E909EB395DB71DD428B50
                                  Function 06F7015C Relevance: .2, Instructions: 190COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d429d9c4563bc68b728a1cd95e5abf5110ec258bcf3a03be26a5d6848b770b72
                                  • Instruction ID: d2e0c31dee375fda0bc9dac13ffb60af9fb588d953df2553a1d5f0c490e20e9b
                                  • Opcode Fuzzy Hash: d429d9c4563bc68b728a1cd95e5abf5110ec258bcf3a03be26a5d6848b770b72
                                  • Instruction Fuzzy Hash: 44715A75E112288FDB04DF69D854AAEBBF2BF88305F05856AE806E7354CB346E05DF90
                                  Function 06F69A98 Relevance: 3.0, Strings: 2, Instructions: 506COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 20 6f69a98-6f69ad9 24 6f69af3-6f69b09 20->24 25 6f69adb-6f69aea 20->25 27 6f69b4c-6f69b5e 24->27 28 6f69b0b-6f69b1f 24->28 25->24 26 6f69aec-6f69aee 25->26 31 6f69baf-6f69bb6 26->31 29 6f69b60-6f69b74 27->29 30 6f69ba1-6f69ba4 27->30 35 6f69b21 28->35 36 6f69b28-6f69b46 28->36 39 6f69b76 29->39 40 6f69b7d-6f69b9b 29->40 30->31 33 6f69bca-6f69bda 31->33 34 6f69bb8-6f69bc1 31->34 42 6f69bdd-6f69beb 33->42 34->33 35->36 36->27 39->40 40->30 47 6f69c50-6f69c76 42->47 48 6f69bed-6f69bf0 42->48 49 6f69c02-6f69c06 47->49 67 6f69c78-6f69c91 47->67 48->49 50 6f69bf2-6f69bf5 48->50 53 6f69c17-6f69c1b 49->53 54 6f69c08-6f69c0d 49->54 51 6f6a10b-6f6a15b 50->51 52 6f69bfb 50->52 68 6f6a162-6f6a172 51->68 52->49 56 6f69c35-6f69c39 53->56 57 6f69c1d-6f69c2c 53->57 160 6f69c10 call 6f65b40 54->160 161 6f69c10 call 6f65b68 54->161 60 6f6a1c5-6f6a1e1 56->60 61 6f69c3f-6f69c4b 56->61 57->56 59 6f69c13-6f69c15 59->42 59->53 61->68 73 6f69ca2-6f69ca4 67->73 74 6f69c93-6f69ca0 67->74 75 6f6a174-6f6a1ab 68->75 76 6f6a1ad-6f6a1c2 68->76 78 6f69f74-6f69f78 73->78 79 6f69caa-6f69cb1 73->79 74->73 75->76 76->60 82 6f69f8e-6f69f9b 78->82 83 6f69f7a-6f69f8c 78->83 84 6f69cb7-6f69cc6 79->84 85 6f69d75-6f69d8d 79->85 82->49 96 6f69fa1-6f69fc9 82->96 83->82 98 6f69fce-6f69fd2 83->98 84->85 99 6f69ccc-6f69d3e 84->99 87 6f69d93-6f69d9f 85->87 88 6f69f4f 85->88 90 6f69da1-6f69dae 87->90 91 6f69db9-6f69e05 87->91 97 6f69f57-6f69f6f 88->97 90->97 106 6f69db4 90->106 126 6f69e07-6f69e2c 91->126 127 6f69e33-6f69e7b 91->127 96->49 97->49 101 6f69fd4-6f69fe2 98->101 102 6f6a001-6f6a02d call 6f65ac0 call 6f65b68 98->102 134 6f69d44-6f69d6a 99->134 135 6f69e82-6f69ea7 99->135 115 6f69fe4-6f69fe6 101->115 116 6f69fe8-6f69ff1 101->116 122 6f6a033-6f6a055 call 6f6cbc8 102->122 123 6f69eae-6f69ed8 102->123 106->49 118 6f69ff9 115->118 162 6f69ff3 call 6f7be90 116->162 163 6f69ff3 call 6f7c0f8 116->163 118->102 133 6f6a05b-6f6a05d 122->133 137 6f69f06-6f69f48 123->137 138 6f69eda-6f69eff 123->138 126->127 127->135 133->49 140 6f6a063-6f6a07b 133->140 134->85 135->123 137->88 138->137 140->49 160->59 161->59 162->118 163->118
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: +o!l^$;o!l^
                                  • API String ID: 0-1918442181
                                  • Opcode ID: 1d7fbf10bb1ff8c13fb49587892887f1e5076e8431c09ec40622a863c1c8a4d6
                                  • Instruction ID: d5cea9b17dce2a5bfeb8a67064e287b3610b92cf0b1d8f77bd5ee0ab8b362a83
                                  • Opcode Fuzzy Hash: 1d7fbf10bb1ff8c13fb49587892887f1e5076e8431c09ec40622a863c1c8a4d6
                                  • Instruction Fuzzy Hash: F2223B74A00219DFDB64DF65D894AAE7BB2FF88310F208158F906A73A5CB71AC51CF91
                                  Function 06F625E0 Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 165 6f625e0-6f625e2 166 6f625e4-6f625e8 165->166 167 6f625eb-6f62623 165->167 166->167 228 6f62626 call 6f628a0 167->228 229 6f62626 call 6f6288d 167->229 170 6f6262c-6f6263d 172 6f62646-6f62679 170->172 176 6f626b5-6f626ef 172->176 177 6f6267b-6f6268f 172->177 188 6f626f5-6f6270f 176->188 189 6f6284a-6f6286c 176->189 180 6f62691 177->180 181 6f62698-6f626b3 177->181 180->181 181->176 196 6f62711-6f62727 188->196 197 6f6272c-6f62758 188->197 191 6f62877 189->191 192 6f6286e 189->192 194 6f62878 191->194 192->191 194->194 202 6f62839-6f62844 196->202 206 6f62802-6f6281b 197->206 207 6f6275e-6f6277f 197->207 202->188 202->189 209 6f62826 206->209 210 6f6281d 206->210 214 6f62781-6f6278b 207->214 215 6f6278d-6f6279b 207->215 209->202 210->209 218 6f627f1-6f627fc 214->218 219 6f6279d-6f627b7 215->219 220 6f627b9-6f627e5 215->220 218->206 218->207 219->218 219->220 220->218 227 6f627e7-6f627ea 220->227 227->218 228->170 229->170
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: L<Pq$;!l^
                                  • API String ID: 0-167034220
                                  • Opcode ID: 492e03063e17046013e72179dcef5bfc52cb7b9c630c0d21c20c9fcde323cce8
                                  • Instruction ID: 60a2c24622ef2408d480a2d273e92a99272e42be88389f4ea411cd41228dee02
                                  • Opcode Fuzzy Hash: 492e03063e17046013e72179dcef5bfc52cb7b9c630c0d21c20c9fcde323cce8
                                  • Instruction Fuzzy Hash: A4619434B002059FCB54DFB9D96466EBBF2EF89750B208029E406E7390DF749D05CBA5
                                  Function 06F7EC60 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 230 6f7ec60-6f7ec72 232 6f7ee49-6f7ee93 230->232 233 6f7ec78-6f7ec89 230->233 236 6f7ecec-6f7ecf7 233->236 237 6f7ec8b-6f7ec9c 233->237 244 6f7ed09-6f7ed17 236->244 245 6f7ecf9-6f7ed07 236->245 242 6f7eca2-6f7ecb3 237->242 243 6f7ed3a-6f7ed45 237->243 251 6f7ed6a-6f7ed75 242->251 252 6f7ecb9-6f7ecca 242->252 253 6f7ed47-6f7ed54 243->253 254 6f7ed59-6f7ed65 243->254 249 6f7ed1d-6f7ed35 244->249 245->249 260 6f7ee3f-6f7ee46 249->260 261 6f7ed87-6f7ed91 251->261 262 6f7ed77-6f7ed82 251->262 263 6f7ecd0-6f7ece1 252->263 264 6f7ed9d-6f7eda8 252->264 253->260 254->260 267 6f7ed98 261->267 262->260 270 6f7ece7-6f7ee13 263->270 271 6f7edcd-6f7edd8 263->271 272 6f7edba-6f7edcb 264->272 273 6f7edaa-6f7edb5 264->273 267->260 284 6f7ee15-6f7ee20 270->284 285 6f7ee22-6f7ee2b 270->285 278 6f7ede7-6f7edf8 271->278 279 6f7edda-6f7ede5 271->279 272->260 273->260 278->260 279->260 287 6f7ee33-6f7ee35 284->287 285->287 287->260
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: l;Pq$?Pq
                                  • API String ID: 0-2685607853
                                  • Opcode ID: e3e025878902572962769e0b1c8e4eda852446de5c4385f0a8fa38143a65de0f
                                  • Instruction ID: ec976e0800342a6d0346af9a299c905901b1b6f7b66b58b2b48deb280cee5d7c
                                  • Opcode Fuzzy Hash: e3e025878902572962769e0b1c8e4eda852446de5c4385f0a8fa38143a65de0f
                                  • Instruction Fuzzy Hash: AD519475F0021A8FEB59977A88606BEB7E7BFD4640B15846BD402D7394DE34CC02C7A9
                                  Function 06F7CF88 Relevance: 2.1, Strings: 1, Instructions: 876COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 288 6f7cf88-6f7cf89 289 6f7cf93-6f7cfb1 288->289 290 6f7cf8c-6f7cf91 288->290 291 6f7cfbb-6f7cfc1 289->291 290->289 292 6f7cfcd-6f7df3e 291->292 513 6f7df48-6f7df5a call 6f79f60 292->513 515 6f7df5f-6f7df75 513->515
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;9 l^
                                  • API String ID: 0-1774188354
                                  • Opcode ID: 35f1b986f28751ddcaefce59ae1e65812094c5a5620ef970b831843ddfaa8adc
                                  • Instruction ID: 50f227633965eee7194cfa361fc21bed02e882be825e50194b629f536ae578c2
                                  • Opcode Fuzzy Hash: 35f1b986f28751ddcaefce59ae1e65812094c5a5620ef970b831843ddfaa8adc
                                  • Instruction Fuzzy Hash: 7792C270A01218DFEB659F60D858BEDBBB2FF89300F1045E9D5096B2A4DB319E84CF95
                                  Function 06F7CF98 Relevance: 2.1, Strings: 1, Instructions: 867COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 517 6f7cf98-6f7df5a call 6f79f60 742 6f7df5f-6f7df75 517->742
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;9 l^
                                  • API String ID: 0-1774188354
                                  • Opcode ID: c4cda64f25db8e6dd684fe4f2dc6fae1b9ff4cc68c4ed780677fde05d1887496
                                  • Instruction ID: 68dba43cf35d2804c9de125070b5ae42a0a18828d85592ee628cf25d3678fb03
                                  • Opcode Fuzzy Hash: c4cda64f25db8e6dd684fe4f2dc6fae1b9ff4cc68c4ed780677fde05d1887496
                                  • Instruction Fuzzy Hash: 2092C270A01218DFEB659F60D858BEDBBB2FF89300F1045E9D5096B2A4DB319E84CF95
                                  Function 078425BC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 996 78425bc-784265d 998 7842696-78426b6 996->998 999 784265f-7842669 996->999 1004 78426ef-784271e 998->1004 1005 78426b8-78426c2 998->1005 999->998 1000 784266b-784266d 999->1000 1001 7842690-7842693 1000->1001 1002 784266f-7842679 1000->1002 1001->998 1006 784267d-784268c 1002->1006 1007 784267b 1002->1007 1015 7842757-7842811 CreateProcessA 1004->1015 1016 7842720-784272a 1004->1016 1005->1004 1008 78426c4-78426c6 1005->1008 1006->1006 1009 784268e 1006->1009 1007->1006 1010 78426c8-78426d2 1008->1010 1011 78426e9-78426ec 1008->1011 1009->1001 1013 78426d4 1010->1013 1014 78426d6-78426e5 1010->1014 1011->1004 1013->1014 1014->1014 1017 78426e7 1014->1017 1027 7842813-7842819 1015->1027 1028 784281a-78428a0 1015->1028 1016->1015 1018 784272c-784272e 1016->1018 1017->1011 1020 7842730-784273a 1018->1020 1021 7842751-7842754 1018->1021 1022 784273c 1020->1022 1023 784273e-784274d 1020->1023 1021->1015 1022->1023 1023->1023 1025 784274f 1023->1025 1025->1021 1027->1028 1038 78428b0-78428b4 1028->1038 1039 78428a2-78428a6 1028->1039 1041 78428c4-78428c8 1038->1041 1042 78428b6-78428ba 1038->1042 1039->1038 1040 78428a8 1039->1040 1040->1038 1044 78428d8-78428dc 1041->1044 1045 78428ca-78428ce 1041->1045 1042->1041 1043 78428bc 1042->1043 1043->1041 1047 78428ee-78428f5 1044->1047 1048 78428de-78428e4 1044->1048 1045->1044 1046 78428d0 1045->1046 1046->1044 1049 78428f7-7842906 1047->1049 1050 784290c 1047->1050 1048->1047 1049->1050 1052 784290d 1050->1052 1052->1052
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078427FE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: f896289de89abe1bc2c035d04b68430f89b21607f4755c029e914fe3833b92ce
                                  • Instruction ID: a83e75663d46c8c82040b083bdf6937bce191010554074179cd976cb7c764f32
                                  • Opcode Fuzzy Hash: f896289de89abe1bc2c035d04b68430f89b21607f4755c029e914fe3833b92ce
                                  • Instruction Fuzzy Hash: 6CA14AB1D0421E9FEB14CF68C8407DEBBB2BF58314F1485A9E848E7280DBB49985CF91
                                  Function 078425C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1053 78425c8-784265d 1055 7842696-78426b6 1053->1055 1056 784265f-7842669 1053->1056 1061 78426ef-784271e 1055->1061 1062 78426b8-78426c2 1055->1062 1056->1055 1057 784266b-784266d 1056->1057 1058 7842690-7842693 1057->1058 1059 784266f-7842679 1057->1059 1058->1055 1063 784267d-784268c 1059->1063 1064 784267b 1059->1064 1072 7842757-7842811 CreateProcessA 1061->1072 1073 7842720-784272a 1061->1073 1062->1061 1065 78426c4-78426c6 1062->1065 1063->1063 1066 784268e 1063->1066 1064->1063 1067 78426c8-78426d2 1065->1067 1068 78426e9-78426ec 1065->1068 1066->1058 1070 78426d4 1067->1070 1071 78426d6-78426e5 1067->1071 1068->1061 1070->1071 1071->1071 1074 78426e7 1071->1074 1084 7842813-7842819 1072->1084 1085 784281a-78428a0 1072->1085 1073->1072 1075 784272c-784272e 1073->1075 1074->1068 1077 7842730-784273a 1075->1077 1078 7842751-7842754 1075->1078 1079 784273c 1077->1079 1080 784273e-784274d 1077->1080 1078->1072 1079->1080 1080->1080 1082 784274f 1080->1082 1082->1078 1084->1085 1095 78428b0-78428b4 1085->1095 1096 78428a2-78428a6 1085->1096 1098 78428c4-78428c8 1095->1098 1099 78428b6-78428ba 1095->1099 1096->1095 1097 78428a8 1096->1097 1097->1095 1101 78428d8-78428dc 1098->1101 1102 78428ca-78428ce 1098->1102 1099->1098 1100 78428bc 1099->1100 1100->1098 1104 78428ee-78428f5 1101->1104 1105 78428de-78428e4 1101->1105 1102->1101 1103 78428d0 1102->1103 1103->1101 1106 78428f7-7842906 1104->1106 1107 784290c 1104->1107 1105->1104 1106->1107 1109 784290d 1107->1109 1109->1109
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078427FE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: dee388a3aa9e0270cb515670a855647f5fb0a38f3be3413c7d72affed4fe99b2
                                  • Instruction ID: f999abbf86db9b0b19e59add5decb208f214083f4b87b6d2c54fe0facc9fb0be
                                  • Opcode Fuzzy Hash: dee388a3aa9e0270cb515670a855647f5fb0a38f3be3413c7d72affed4fe99b2
                                  • Instruction Fuzzy Hash: 29913AB1D0421D9FEB14CF68C840BEEBBB2BF58314F1485A9E808E7250DBB49985CF91
                                  Function 029BA328 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1110 29ba328-29ba337 1111 29ba339-29ba346 call 29b85e4 1110->1111 1112 29ba363-29ba367 1110->1112 1117 29ba348 1111->1117 1118 29ba35c 1111->1118 1113 29ba37b-29ba3bc 1112->1113 1114 29ba369-29ba373 1112->1114 1121 29ba3c9-29ba3d7 1113->1121 1122 29ba3be-29ba3c6 1113->1122 1114->1113 1167 29ba34e call 29ba5b0 1117->1167 1168 29ba34e call 29ba5c0 1117->1168 1118->1112 1124 29ba3fb-29ba3fd 1121->1124 1125 29ba3d9-29ba3de 1121->1125 1122->1121 1123 29ba354-29ba356 1123->1118 1128 29ba498-29ba558 1123->1128 1129 29ba400-29ba407 1124->1129 1126 29ba3e9 1125->1126 1127 29ba3e0-29ba3e7 call 29b9654 1125->1127 1133 29ba3eb-29ba3f9 1126->1133 1127->1133 1160 29ba55a-29ba55d 1128->1160 1161 29ba560-29ba58b GetModuleHandleW 1128->1161 1131 29ba409-29ba411 1129->1131 1132 29ba414-29ba41b 1129->1132 1131->1132 1135 29ba428-29ba431 call 29b9664 1132->1135 1136 29ba41d-29ba425 1132->1136 1133->1129 1141 29ba43e-29ba443 1135->1141 1142 29ba433-29ba43b 1135->1142 1136->1135 1144 29ba461-29ba465 1141->1144 1145 29ba445-29ba44c 1141->1145 1142->1141 1165 29ba468 call 29ba8b0 1144->1165 1166 29ba468 call 29ba8c0 1144->1166 1145->1144 1146 29ba44e-29ba45e call 29b9674 call 29b9684 1145->1146 1146->1144 1148 29ba46b-29ba46e 1151 29ba491-29ba497 1148->1151 1152 29ba470-29ba48e 1148->1152 1152->1151 1160->1161 1162 29ba58d-29ba593 1161->1162 1163 29ba594-29ba5a8 1161->1163 1162->1163 1165->1148 1166->1148 1167->1123 1168->1123
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 029BA57E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 0189bd97a8edd8d56263485db307a9cbc3ea64161f841b33d849c3a5e132b891
                                  • Instruction ID: d7512679f0aea3417208083ddb5426de29327cf588991c2fdca26d677ee211ba
                                  • Opcode Fuzzy Hash: 0189bd97a8edd8d56263485db307a9cbc3ea64161f841b33d849c3a5e132b891
                                  • Instruction Fuzzy Hash: 2C714670A00B048FDB25DF2AD54479ABBF6FF88314F00892ED48AD7A50D775E906CB91
                                  Function 06F7E0E8 Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1169 6f7e0e8-6f7e0e9 1170 6f7e06b-6f7e07d 1169->1170 1171 6f7e0eb-6f7e0fb 1169->1171 1172 6f7dfff-6f7e02a 1170->1172 1173 6f7e07f-6f7e084 1170->1173 1174 6f7e107-6f7e133 1171->1174 1175 6f7e0fd 1171->1175 1197 6f7e034-6f7e03a 1172->1197 1198 6f7e02c 1172->1198 1178 6f7e08c 1173->1178 1179 6f7e354-6f7e39f 1174->1179 1180 6f7e139-6f7e13f 1174->1180 1175->1174 1219 6f7e3b5-6f7e3c1 1179->1219 1220 6f7e3a1 1179->1220 1181 6f7e145-6f7e14b 1180->1181 1182 6f7e208-6f7e20c 1180->1182 1181->1179 1184 6f7e151-6f7e160 1181->1184 1185 6f7e231-6f7e23a 1182->1185 1186 6f7e20e-6f7e217 1182->1186 1188 6f7e1e7-6f7e1f0 1184->1188 1189 6f7e166-6f7e172 1184->1189 1191 6f7e25f-6f7e262 1185->1191 1192 6f7e23c-6f7e25c 1185->1192 1186->1179 1190 6f7e21d-6f7e22f 1186->1190 1188->1179 1194 6f7e1f6-6f7e202 1188->1194 1189->1179 1195 6f7e178-6f7e18f 1189->1195 1196 6f7e265-6f7e26b 1190->1196 1191->1196 1192->1191 1194->1181 1194->1182 1200 6f7e191 1195->1200 1201 6f7e19b-6f7e1ad 1195->1201 1196->1179 1205 6f7e271-6f7e286 1196->1205 1203 6f7e05d-6f7e06a 1197->1203 1204 6f7e03c-6f7e04a 1197->1204 1198->1197 1200->1201 1201->1188 1215 6f7e1af-6f7e1b5 1201->1215 1208 6f7e056 1204->1208 1209 6f7e04c 1204->1209 1205->1179 1206 6f7e28c-6f7e29e 1205->1206 1206->1179 1210 6f7e2a4-6f7e2b1 1206->1210 1208->1203 1209->1208 1210->1179 1214 6f7e2b7-6f7e2ce 1210->1214 1214->1179 1228 6f7e2d4-6f7e2ec 1214->1228 1217 6f7e1b7 1215->1217 1218 6f7e1c1-6f7e1c7 1215->1218 1217->1218 1218->1179 1222 6f7e1cd-6f7e1e4 1218->1222 1223 6f7e3c3 1219->1223 1224 6f7e3cd-6f7e3e9 1219->1224 1221 6f7e3a4-6f7e3a6 1220->1221 1226 6f7e3ea-6f7e427 1221->1226 1227 6f7e3a8-6f7e3b3 1221->1227 1223->1224 1238 6f7e443-6f7e44f 1226->1238 1239 6f7e429-6f7e42c 1226->1239 1227->1219 1227->1221 1228->1179 1229 6f7e2ee-6f7e2f9 1228->1229 1231 6f7e2fb-6f7e305 1229->1231 1232 6f7e34a-6f7e351 1229->1232 1231->1232 1237 6f7e307-6f7e31d 1231->1237 1245 6f7e31f 1237->1245 1246 6f7e329-6f7e342 1237->1246 1241 6f7e451 1238->1241 1242 6f7e45b-6f7e480 1238->1242 1240 6f7e42f-6f7e441 1239->1240 1240->1238 1240->1240 1241->1242 1249 6f7e4f4-6f7e4fa 1242->1249 1250 6f7e482-6f7e488 1242->1250 1245->1246 1246->1232 1252 6f7e547-6f7e561 1249->1252 1253 6f7e4fc-6f7e4ff 1249->1253 1250->1249 1254 6f7e48a-6f7e48d 1250->1254 1255 6f7e564-6f7e572 1253->1255 1256 6f7e501-6f7e503 1253->1256 1254->1255 1257 6f7e493-6f7e4a0 1254->1257 1267 6f7e574-6f7e579 1255->1267 1268 6f7e57b-6f7e57c 1255->1268 1258 6f7e505-6f7e50e 1256->1258 1260 6f7e4a2-6f7e4cc 1257->1260 1261 6f7e4ee-6f7e4f2 1257->1261 1263 6f7e541-6f7e545 1258->1263 1264 6f7e50f-6f7e528 1258->1264 1265 6f7e4ce 1260->1265 1266 6f7e4d8-6f7e4eb 1260->1266 1261->1249 1261->1254 1263->1252 1263->1253 1264->1255 1269 6f7e52a-6f7e53d 1264->1269 1265->1266 1266->1261 1267->1268 1268->1258 1272 6f7e57e 1268->1272 1269->1263
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-2564639436
                                  • Opcode ID: 433ac20eae45874f35a00f83e009419dd387867d72c755bf8a35da715f50381d
                                  • Instruction ID: cd7c56deaeb20553e2ac8b7166638115069e3fddd4c23776c4f09b24a55569ff
                                  • Opcode Fuzzy Hash: 433ac20eae45874f35a00f83e009419dd387867d72c755bf8a35da715f50381d
                                  • Instruction Fuzzy Hash: ACF16C74A006058FD754CF28C48096ABBF2FF89314B25C6AAD46ADB7A2D730FC45CB91
                                  Function 07842509 Relevance: 1.6, APIs: 1, Instructions: 88injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1273 7842509-784250d 1274 7842491 1273->1274 1275 784250f-7842582 1273->1275 1276 7842493-784249a 1274->1276 1277 784249b-78424bd WriteProcessMemory 1274->1277 1287 7842584-784258a 1275->1287 1288 784258b-78425b0 1275->1288 1276->1277 1279 78424c6-78424f6 1277->1279 1280 78424bf-78424c5 1277->1280 1280->1279 1287->1288
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078424B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: ad2d8e67c845091aa76829afa20791ded106e09620bb0f2f06108df2bcd25023
                                  • Instruction ID: c9de409c02f5d92bfa902c468ffb794663dc17625f0981e6acdbd7d0b58f8715
                                  • Opcode Fuzzy Hash: ad2d8e67c845091aa76829afa20791ded106e09620bb0f2f06108df2bcd25023
                                  • Instruction Fuzzy Hash: 7D319CB28043099FDB20CFAAC8447DEFBF4FF58324F10841AE559A7650C7B99585CBA4
                                  Function 07842420 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1292 7842420-784246e 1294 7842470-784247c 1292->1294 1295 784247e-78424bd WriteProcessMemory 1292->1295 1294->1295 1298 78424c6-78424f6 1295->1298 1299 78424bf-78424c5 1295->1299 1299->1298
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078424B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 1e99316fdd7e00154922432da5ece3d419b0383f6d6852b0714c992daaff7106
                                  • Instruction ID: 4e890f3ecbe87608ecc2965edaa546cd81b2f50773ea6e81f96e38e8417f8217
                                  • Opcode Fuzzy Hash: 1e99316fdd7e00154922432da5ece3d419b0383f6d6852b0714c992daaff7106
                                  • Instruction Fuzzy Hash: E32127B190034D9FDB10CFAAC885BDEBBF5FF48310F10842AE959A7240C7B89944CBA4
                                  Function 07842280 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1303 7842280-78422d3 1305 78422d5-78422e1 1303->1305 1306 78422e3-7842313 Wow64SetThreadContext 1303->1306 1305->1306 1308 7842315-784231b 1306->1308 1309 784231c-784234c 1306->1309 1308->1309
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07842306
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 84dbbad5a9e535ddcada977cfc2202d65fd8e47a284814ac57fd01c3a7d5e4ef
                                  • Instruction ID: b4731404cb2ba019e9eefcd658aadea31deb5436965fd0e438d86fd438e8045b
                                  • Opcode Fuzzy Hash: 84dbbad5a9e535ddcada977cfc2202d65fd8e47a284814ac57fd01c3a7d5e4ef
                                  • Instruction Fuzzy Hash: 992128B19043098FDB10DFAAC8857EEBBF4AF48320F14842AE959A7241D7B89545CFA5
                                  Function 07842A01 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1313 7842a01-7842a95 ReadProcessMemory 1316 7842a97-7842a9d 1313->1316 1317 7842a9e-7842ace 1313->1317 1316->1317
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07842A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: c7156074fa5d5121eb1766575754a66b6b461640455740c267fbe3a9cae76f2c
                                  • Instruction ID: 1ebd6032dd80af00ac3ed2714d44f0ad4b4011b58fa6342bdbdfd8021ebc3b8d
                                  • Opcode Fuzzy Hash: c7156074fa5d5121eb1766575754a66b6b461640455740c267fbe3a9cae76f2c
                                  • Instruction Fuzzy Hash: E82139B280434A9FDB10CFAAC841BDEBBF1FF48310F10842AE959A7240D7799541CFA1
                                  Function 029BC7FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029BCBD6,?,?,?,?,?), ref: 029BCC97
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: ffd548255d5570dad56df27907e5c502adffadf8b7b5fe4808024ac237987a25
                                  • Instruction ID: 87f865264fc590b1376780b4d097ec97bc712c715505a92368a1e96049454596
                                  • Opcode Fuzzy Hash: ffd548255d5570dad56df27907e5c502adffadf8b7b5fe4808024ac237987a25
                                  • Instruction Fuzzy Hash: 052103B59003089FDB11CFAAD984AEEBBF8EB48310F10845AE918A3310C374A940CFA5
                                  Function 029BCC08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029BCBD6,?,?,?,?,?), ref: 029BCC97
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 6dc23de3773342105b26ff4d305c2d4ea71ff5dbd41bcdfa407ae89cc8437a1e
                                  • Instruction ID: bf241ef9e8e03891db168f51265cd51ed7a0ea6b2ead6a0b62a6110dd568b61a
                                  • Opcode Fuzzy Hash: 6dc23de3773342105b26ff4d305c2d4ea71ff5dbd41bcdfa407ae89cc8437a1e
                                  • Instruction Fuzzy Hash: BE2105B59002489FDB11CFAAD584ADEBBF4FB48310F14841AE918A3310C374A945CFA5
                                  Function 07842288 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07842306
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: c825bb1cd4e4e0b131a550d88c1fe9d2c4cba04f811f5e9de722ba422c3fca08
                                  • Instruction ID: 3bb8fd63a4477e9a5ecdb924c7695f50363497542966254e8f95354bb82517f9
                                  • Opcode Fuzzy Hash: c825bb1cd4e4e0b131a550d88c1fe9d2c4cba04f811f5e9de722ba422c3fca08
                                  • Instruction Fuzzy Hash: 742138B1D043098FDB10DFAAC4857EEBBF4BF48320F14842AE519A7240D7B89945CFA5
                                  Function 07842A08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07842A88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 4abb2e147c621ffe44d283ae25ba5a6a25adb87a1b0f6dec46de3e3b598f3c55
                                  • Instruction ID: f9eb79801acb128708f1afc6cf5d1b2a9a783990ebbeac7e02a8f4d3b989d942
                                  • Opcode Fuzzy Hash: 4abb2e147c621ffe44d283ae25ba5a6a25adb87a1b0f6dec46de3e3b598f3c55
                                  • Instruction Fuzzy Hash: 7D212AB180034D9FDB10CFAAC840BDEBBF5FF48310F10842AE919A7240C7749541CBA5
                                  Function 06F62030 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [!l^
                                  • API String ID: 0-941005735
                                  • Opcode ID: f1973267df92f3c5e321ae777ba07c07f317d91738f3a73fc70e1c742718c473
                                  • Instruction ID: 94899444635cadd36c7b07d16f4652f48ab3e2fbc55fd7e8f964e74a8a246e63
                                  • Opcode Fuzzy Hash: f1973267df92f3c5e321ae777ba07c07f317d91738f3a73fc70e1c742718c473
                                  • Instruction Fuzzy Hash: A7C14E70F102199FDB54DFA9D8646AEBBB2BF88700F144429E412EB394DF709D06CB91
                                  Function 07842358 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078423CE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 46f2562168b22d8c6f244357d84ee6a8747b851614f5b09904161199b72a9561
                                  • Instruction ID: 9e76b9c4ff583d6bafa23772e1a405e74c3a8002127063be70f8e9453417062a
                                  • Opcode Fuzzy Hash: 46f2562168b22d8c6f244357d84ee6a8747b851614f5b09904161199b72a9561
                                  • Instruction Fuzzy Hash: 0E113672904249DFDB10CFAAC844BDFBBF5BF48320F10841AE959A7250C7B59551CFA0
                                  Function 029B96B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029BA5F9,00000800,00000000,00000000), ref: 029BA80A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 5b1a11b0e42154ee2931c8e3ee65a6213c77dc2325eeb06a012583ed9e6803ab
                                  • Instruction ID: 654870dacee9b91754d7ab6d188ef3aab49f8ccadc48c93f0fd60be644adb971
                                  • Opcode Fuzzy Hash: 5b1a11b0e42154ee2931c8e3ee65a6213c77dc2325eeb06a012583ed9e6803ab
                                  • Instruction Fuzzy Hash: DD1103B6D043089FDB10CF9AC584BDEFBF8EB48314F14846AE419A7600C375A546CFA9
                                  Function 029BA799 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029BA5F9,00000800,00000000,00000000), ref: 029BA80A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: f558d4522fff892691be1c9602f4b7b238478291639ffd692fb3a23bcbf29714
                                  • Instruction ID: 1e087ce980e9d4f9a99e314a625a5336f54718b54931e3467b09f5fe8fb00e05
                                  • Opcode Fuzzy Hash: f558d4522fff892691be1c9602f4b7b238478291639ffd692fb3a23bcbf29714
                                  • Instruction Fuzzy Hash: 371114B6C003099FDB10CFAAC544BDEFBF8EB88314F14846AD419A7600C375A546CFA5
                                  Function 07842360 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078423CE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: b86126753d91f7bd3e6a7a3d3bffaa922d4808c4ca4e2e3af4f6de4ed09753ac
                                  • Instruction ID: 42c1696a0ac693740f0e0d7b2731110aed364e6ce733fd714e379d625ad24630
                                  • Opcode Fuzzy Hash: b86126753d91f7bd3e6a7a3d3bffaa922d4808c4ca4e2e3af4f6de4ed09753ac
                                  • Instruction Fuzzy Hash: 3D11267280434D9FDB10DFAAC844BDFBBF5AF48320F14881AE519A7250C7B59544CFA5
                                  Function 078421D0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: e8171a780948d4a742428a53563fd135c19530a6f1ce405de2773bab645e3ab6
                                  • Instruction ID: d7c91dc6aa0dac3903dcbdc69d59473d55d029b1681fc2a6378e8e8ba6add961
                                  • Opcode Fuzzy Hash: e8171a780948d4a742428a53563fd135c19530a6f1ce405de2773bab645e3ab6
                                  • Instruction Fuzzy Hash: 101146B19043498FDB14DFAAC4457EFFBF4AF88324F20846AD919A7640C7786581CBA4
                                  Function 078421D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: b675294d4c6ad848b5d1e3eb4d3d77b2fc1297bca23902ad367c1ae17edf9362
                                  • Instruction ID: 534e1fd819d47424607843fba91d8d565a37a15271f725f7ba9cc6639668b394
                                  • Opcode Fuzzy Hash: b675294d4c6ad848b5d1e3eb4d3d77b2fc1297bca23902ad367c1ae17edf9362
                                  • Instruction Fuzzy Hash: A8113AB19043488FDB10DFAAC8457DFFBF4AF88324F24841AD519A7240C7756545CFA5
                                  Function 078435D8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 0784363D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: f6bc3939166d0c1de8e483a5ca6f5e9dcf617349e670da4afc860ae7a759f472
                                  • Instruction ID: 0c377ca116215a31f6b6e7dcbbfc7075f08cd68f86b1b45fc38f176d4769bb9a
                                  • Opcode Fuzzy Hash: f6bc3939166d0c1de8e483a5ca6f5e9dcf617349e670da4afc860ae7a759f472
                                  • Instruction Fuzzy Hash: F511E3B58003499FDB20DF9AD845BDEBBF8EB48324F20841AE558A7640C375A544CFA5
                                  Function 029BA518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 029BA57E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: b3252fbbb63ad216bd142e288d0ebb46aec6153a1cc157c25016378a87d6baae
                                  • Instruction ID: 80f8462bdbf33c3184aa067af67ff73b7970ac998d279151e8de1c25821a59be
                                  • Opcode Fuzzy Hash: b3252fbbb63ad216bd142e288d0ebb46aec6153a1cc157c25016378a87d6baae
                                  • Instruction Fuzzy Hash: D411E3B6C007498FDB11CF9AC544BDEFBF4EF48224F10846AD419A7210D379A645CFA5
                                  Function 078435E0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 0784363D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598510762.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7840000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 30fd96d9f94762b2808fa93cbfee36c9145c7b15f80609375e6061142b19bd48
                                  • Instruction ID: d78c9c0daf6efd738d860e3b1a9765bd5589f59874c27ef3a1e0ed32ad8933ec
                                  • Opcode Fuzzy Hash: 30fd96d9f94762b2808fa93cbfee36c9145c7b15f80609375e6061142b19bd48
                                  • Instruction Fuzzy Hash: 1B1100B58003499FDB10CF9AD885BDEFBF8EB48320F20841AE518A7240C3B5A944CFA5
                                  Function 06F6AAE3 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-2564639436
                                  • Opcode ID: 9ea2ad3bde952bb9b5f6da49d273cb2e5632344a28638efa9e3fa44f5a90f6e2
                                  • Instruction ID: 9870c3458e1d1f19e542b8743c08fdf231fe2ce7517d2cd18b51cc988af7e624
                                  • Opcode Fuzzy Hash: 9ea2ad3bde952bb9b5f6da49d273cb2e5632344a28638efa9e3fa44f5a90f6e2
                                  • Instruction Fuzzy Hash: CEB15875A006058FD754CF1AC48496AB7F3FF88324725CA69E85AAB761DB34FC42CB90
                                  Function 06F70F40 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 45743a45bacd94ef106e124d25206053034e0674d98f2c6d25536f135387b15c
                                  • Instruction ID: 3c6a610388be4c6331011985d4bde61d305d6d293cf567abbf53aae4d49b8349
                                  • Opcode Fuzzy Hash: 45743a45bacd94ef106e124d25206053034e0674d98f2c6d25536f135387b15c
                                  • Instruction Fuzzy Hash: C241D272F041098FDB90DF59CC806EEB762EFC4365B28C537D5259B205CB32E85A8BA5
                                  Function 06F62250 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [!l^
                                  • API String ID: 0-941005735
                                  • Opcode ID: 09010e58e82c6e6949c89ee71390d734fab47034db1cc854502d7daf60e062cc
                                  • Instruction ID: 3514f521c4f2e99b141009970c550121aec469c7c7f8548394558eb8a8642a62
                                  • Opcode Fuzzy Hash: 09010e58e82c6e6949c89ee71390d734fab47034db1cc854502d7daf60e062cc
                                  • Instruction Fuzzy Hash: 48413F30B102089FDB55DFA9D864AAEBBF6BF88750B104429E416EB390DF759D05CBA0
                                  Function 06F628A0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: T;Pq
                                  • API String ID: 0-3500953958
                                  • Opcode ID: 49bc78544afed48f926d15324447b494888c606c3409ab61c3d4725b5d01bf07
                                  • Instruction ID: aaec0ea1215c1d4d36734eef93c87cae466f0ec12ac04a96c43480379d775138
                                  • Opcode Fuzzy Hash: 49bc78544afed48f926d15324447b494888c606c3409ab61c3d4725b5d01bf07
                                  • Instruction Fuzzy Hash: 9741EE31B002068FDB48DA6ED8509AEBBE6FFC9224314442AE406DB395DF31DD02CBA5
                                  Function 06F60A50 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;
                                  • API String ID: 0-2707407616
                                  • Opcode ID: 0543b9ffe8aeeced9f21eda8c9d8c2f3344f2429339d13e8747c03698bcb541c
                                  • Instruction ID: 89b8b50aae8bebd70cf5c6639fdb55892d909a49cfe87dd8108064297e640180
                                  • Opcode Fuzzy Hash: 0543b9ffe8aeeced9f21eda8c9d8c2f3344f2429339d13e8747c03698bcb541c
                                  • Instruction Fuzzy Hash: 3C116F71B047815FC3529B69DC905967FE1EF866A071481A6E405CB3A1EE24CC06C3D1
                                  Function 06F6288D Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: T;Pq
                                  • API String ID: 0-3500953958
                                  • Opcode ID: 55eb1397a9e2111e94966262b59329df080fed391d9d6dc358f8d2890a9ebd8b
                                  • Instruction ID: 1f6d681db6bc35470f707408c1ba34fd53a69d6e354d87a7569df8fa5a48fb8d
                                  • Opcode Fuzzy Hash: 55eb1397a9e2111e94966262b59329df080fed391d9d6dc358f8d2890a9ebd8b
                                  • Instruction Fuzzy Hash: F4F0BB71B486910FC785167E9C6049AAFA6EBCF52131900AFE409CB396DD658D068761
                                  Function 06F746D5 Relevance: .6, Instructions: 568COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3c14101b8f2de5861648d35caa5266054e38f308687e700c5e9e09e359b9c73
                                  • Instruction ID: 4fcc1a35dbbf8899375d1617e57e41d4ebd7aa1200db6eee78d803c0823b629b
                                  • Opcode Fuzzy Hash: c3c14101b8f2de5861648d35caa5266054e38f308687e700c5e9e09e359b9c73
                                  • Instruction Fuzzy Hash: FB52F5B1D01255CFE390DF08D998A98BBF1FF01308F55E59AE0258B266E77AD885CF80
                                  Function 06F7B498 Relevance: .3, Instructions: 344COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 116fca09f3b10dd743231d5ae814e525570799976a9b56315ae3b2f4bd1955af
                                  • Instruction ID: ffed0e6e0b1e349c9744802e2c4c1ceb1a6e4dee1e07a6fb6d09fe1e3f2a86a2
                                  • Opcode Fuzzy Hash: 116fca09f3b10dd743231d5ae814e525570799976a9b56315ae3b2f4bd1955af
                                  • Instruction Fuzzy Hash: 03E17F75A1020A8FCB44DF68C584AA9BBF5FF49310F1581AAE905EB365EB30ED45CB50
                                  Function 06F617A0 Relevance: .3, Instructions: 333COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18fba7704f7dc9ca30a9bc848a833239caf9aa01fb91faf57178cf4c21478358
                                  • Instruction ID: 48f67bde3637bb4e9f13ca823ab3397e4aeff9cda0c0f2b16c767b6f6ae4fa66
                                  • Opcode Fuzzy Hash: 18fba7704f7dc9ca30a9bc848a833239caf9aa01fb91faf57178cf4c21478358
                                  • Instruction Fuzzy Hash: 36B16F74F002058FDB54EFB9D454A6EB7E6EFC97207104569EA0ACB3A1DA34DC46CBA0
                                  Function 06F61218 Relevance: .3, Instructions: 294COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cac7431b38f87fd65b8df20fb292a9db4cd5eaf73fa2131e0389f29c92d43adb
                                  • Instruction ID: 06728998b61e640f0021451c9e3a6ceb0cb185763f42efe8ada5904b359c53cb
                                  • Opcode Fuzzy Hash: cac7431b38f87fd65b8df20fb292a9db4cd5eaf73fa2131e0389f29c92d43adb
                                  • Instruction Fuzzy Hash: 19C12874F007099FCB54DFA9D494AAEBBF6FF89700B108069E906EB360DB349945CB90
                                  Function 06F652B8 Relevance: .3, Instructions: 288COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78d96c30608b51828fd932ca54e97e9ac20ef4aa52d6f7d9341d2f6ce73ce132
                                  • Instruction ID: f095ece92bb3e287f37e0b0377777c3a1f3d0b2dae4d0694560cf2994af97f49
                                  • Opcode Fuzzy Hash: 78d96c30608b51828fd932ca54e97e9ac20ef4aa52d6f7d9341d2f6ce73ce132
                                  • Instruction Fuzzy Hash: C2B1E630B046458FDB15CF69D890AAEFBB2FF85310B0485AAE509DB252DB30EC15CBA1
                                  Function 06F7F362 Relevance: .3, Instructions: 278COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6088d6c7923c82345d99653496b5b91c0d223aa2a358c4fe4837bcdf85260626
                                  • Instruction ID: 857fc6680e0b8eef6cb6eb898cce73c495ba96af5e029dadd0604c8dd3c9f2e6
                                  • Opcode Fuzzy Hash: 6088d6c7923c82345d99653496b5b91c0d223aa2a358c4fe4837bcdf85260626
                                  • Instruction Fuzzy Hash: 66A1E471A053859FC746DF38D894699FFF1BF86210B05859BD846CB392DB349C06CBA1
                                  Function 06F6EB0D Relevance: .3, Instructions: 275COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4cead87d3bc77c07d33458f540cb10c4f4e3b30594b528ae016cad4d6220fa97
                                  • Instruction ID: 75ae5d8e849a227985e1ae34625d0ae67dbdc25442ea817a6487cec42b33419f
                                  • Opcode Fuzzy Hash: 4cead87d3bc77c07d33458f540cb10c4f4e3b30594b528ae016cad4d6220fa97
                                  • Instruction Fuzzy Hash: 0BA1C43AB08711CFDBA49B29C49467EB7B2BF85704F14882AF4038B790DB75D846CB91
                                  Function 06F7F3F8 Relevance: .3, Instructions: 273COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29aeffc27098fad5e819aa0fb71873830a9f34b1b056672d5eb95733138b306b
                                  • Instruction ID: 2fc3d4492fb7175d374289524db41cf4d8a058b876bb55eabcfa01b1d39259a7
                                  • Opcode Fuzzy Hash: 29aeffc27098fad5e819aa0fb71873830a9f34b1b056672d5eb95733138b306b
                                  • Instruction Fuzzy Hash: D6B15A74B007058FCB55DF28D89896EBBF2FF89610B048569D8068B3A5DB34ED06CF91
                                  Function 06F6B220 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d200cc373b462ccea91b1c69f1530e99aa8eaf42f304a2b7a684d85b900521e7
                                  • Instruction ID: a89afe8b0aa4db99159833f70063526cd76df1d8cbf8a86d8d5232c06d694d19
                                  • Opcode Fuzzy Hash: d200cc373b462ccea91b1c69f1530e99aa8eaf42f304a2b7a684d85b900521e7
                                  • Instruction Fuzzy Hash: 92919E31B106108FD7A59F2AD49962E77F6FB84705F10882AF403C7689CF74DC668B82
                                  Function 06F7B148 Relevance: .2, Instructions: 239COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb57f345723d192bbbac4d730def6f84f78f719d879807396aa1a0e25919462f
                                  • Instruction ID: 6c7ee2045cb5a6c7364bb7e09e925a0a259148773f676ab995aef9e5442f5069
                                  • Opcode Fuzzy Hash: cb57f345723d192bbbac4d730def6f84f78f719d879807396aa1a0e25919462f
                                  • Instruction Fuzzy Hash: 5451A27290E3C15FC7079B389CA05957FB5AF4725030A86E7D488CF2E7D628990ACB62
                                  Function 06F72630 Relevance: .2, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b0d304569cb54526c5df4d704e80979d2a43582981d0a19c0de8dcb8296b7a5
                                  • Instruction ID: cc638463542de607e30518574e34d0dec37a8bb4a54843c0f1bd4c858d9686aa
                                  • Opcode Fuzzy Hash: 6b0d304569cb54526c5df4d704e80979d2a43582981d0a19c0de8dcb8296b7a5
                                  • Instruction Fuzzy Hash: 6B915934E04309CFEB54DBA5D958BAEBBB2AF45704F14402BD402EB394DB358A46DF90
                                  Function 06F7BE90 Relevance: .2, Instructions: 230COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a3dd8bcac04408e2e8d7c93985f7362218fdf872f29b76aeead77d250b51fa3
                                  • Instruction ID: a1172bfd9bea6d9f6e4db577a3f5a281f3a38d47f22ccbdce2e02a43462c127a
                                  • Opcode Fuzzy Hash: 3a3dd8bcac04408e2e8d7c93985f7362218fdf872f29b76aeead77d250b51fa3
                                  • Instruction Fuzzy Hash: 7581BF35B102149FDB549F78C858BAE7BF2AF8A760F14406AE905DB3A1DB31DC42CB91
                                  Function 06F60F27 Relevance: .2, Instructions: 219COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f7895ade25f3a6f54e86a6fe9d9d483432fa07f5c57cdc3eaea123804a20dee
                                  • Instruction ID: d84aab1fd204815ad058e0c3c9f7dbd75741867f795ce5d3c47f2567520833be
                                  • Opcode Fuzzy Hash: 3f7895ade25f3a6f54e86a6fe9d9d483432fa07f5c57cdc3eaea123804a20dee
                                  • Instruction Fuzzy Hash: E9918E31A00200AFDB5ADF68DC14E697BB2FF89320F058599E2058B2B2CB35DD55DB91
                                  Function 06F763E0 Relevance: .2, Instructions: 217COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1a99b852954c9c964c6d63300fb1821fc0684c2daf4f04160d75c39f2648ac3
                                  • Instruction ID: 6e32040168043f99a7ff5f6f413d2a3a1f99b5d2613e7df83d68cec29b1e1dad
                                  • Opcode Fuzzy Hash: d1a99b852954c9c964c6d63300fb1821fc0684c2daf4f04160d75c39f2648ac3
                                  • Instruction Fuzzy Hash: 9B61F832B04A14CFE7949A79982077E6693BF89720F50413AE40BEB7C5DE75CC0157EA
                                  Function 06F66D28 Relevance: .2, Instructions: 214COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f5a6242c5541554df54b088a096ca4eef63fc3e21bbaa73aa9b78750e79a334
                                  • Instruction ID: 51c8879cad0655c8564531d26753732fc7de3124442aedf5f7017557c395eb0e
                                  • Opcode Fuzzy Hash: 3f5a6242c5541554df54b088a096ca4eef63fc3e21bbaa73aa9b78750e79a334
                                  • Instruction Fuzzy Hash: 8B718C71B00115DFDB99AF6AC86896E7BB6FF897107104069F906CB361DB31DC12CBA2
                                  Function 06F763D0 Relevance: .2, Instructions: 209COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 736c867f8d618cefe4b5cfde8c7ab9b1ebc191512951b920cf285d2527fb9360
                                  • Instruction ID: 02014157b10d97a06ef1f66ecdcebd6f784d5aeb81472547ce1691ec29b4b736
                                  • Opcode Fuzzy Hash: 736c867f8d618cefe4b5cfde8c7ab9b1ebc191512951b920cf285d2527fb9360
                                  • Instruction Fuzzy Hash: 56612932B04614CFEB949E789C2077E66A2BF89710F50407AE40AEB7C5DE64CC0187E9
                                  Function 06F72DC0 Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ac6fc4a35e1cfc85ad8fc6340b196295fdc7581e03d70acbadd5f1c035d6010
                                  • Instruction ID: 95f07832e88524281142feae759c2701cf1c9b2bcb4d816d5c9dbf9f4c8ac2fd
                                  • Opcode Fuzzy Hash: 8ac6fc4a35e1cfc85ad8fc6340b196295fdc7581e03d70acbadd5f1c035d6010
                                  • Instruction Fuzzy Hash: 8E61A231A003059FDB21CF64D880AAEB7B2FFC5320F24865AD4569B691DB31FA56CB91
                                  Function 06F7C8D8 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15b287d4cec47e61284e74d21e8cc9a772c2cb685a01b98fc3f38e1ab7acc257
                                  • Instruction ID: 4b4bfeb888965f56369ff4d23191803ebff55470c878a60ab3fabc890579512e
                                  • Opcode Fuzzy Hash: 15b287d4cec47e61284e74d21e8cc9a772c2cb685a01b98fc3f38e1ab7acc257
                                  • Instruction Fuzzy Hash: 5F513931B101018FEB98DF29D49892A7BF6BFD961132980AAE106CB375DF30DC01DB80
                                  Function 06F6DD28 Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a031ca728677aa61f0b2276b58eef777791041411142c346e556eb67bbd1b738
                                  • Instruction ID: bf2d746ed17d141619cbdd6f883a899f2ef3b0a1482483b6ec4edfd9025f2edd
                                  • Opcode Fuzzy Hash: a031ca728677aa61f0b2276b58eef777791041411142c346e556eb67bbd1b738
                                  • Instruction Fuzzy Hash: 4351A431B147008FE7B45B6AC89473EB7E2EF95705F15882AF443CB691CBB9D8418B91
                                  Function 06F75AD8 Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b74be739393485a308312d69f9f5e224746ef003f859bf5721211ffbeded3c1
                                  • Instruction ID: 6bf2d8e985daafb5055ba92ab730bd71cdb54b0f83f102e952c6e38877058b09
                                  • Opcode Fuzzy Hash: 5b74be739393485a308312d69f9f5e224746ef003f859bf5721211ffbeded3c1
                                  • Instruction Fuzzy Hash: C2616F36604648DFEBA4CF68C494B6A7BF1FB48355F10852BE4478B690DE30F985CB92
                                  Function 06F6CBC8 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8e5be31b04d7bf811a1ff0abb79d01bc5cb902b868add632c4109be1c94965c
                                  • Instruction ID: 42caf3e0d661a0bc0a57df11a4283ae74a54896ec3854314617695e6e7700fce
                                  • Opcode Fuzzy Hash: a8e5be31b04d7bf811a1ff0abb79d01bc5cb902b868add632c4109be1c94965c
                                  • Instruction Fuzzy Hash: 91617371B001099FDB50CFA5D884AEEBBB6FF88210F14811AF956D7251DB31E911CBA1
                                  Function 06F6D888 Relevance: .2, Instructions: 176COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f06d8d3edb06d477f87ed68f7fd57d0f67560e699f31577a8aca2ee1ed40446c
                                  • Instruction ID: 6747612dad302c3fd3c6acc60900e787074e25d132fec46291fd8fe85bf8719f
                                  • Opcode Fuzzy Hash: f06d8d3edb06d477f87ed68f7fd57d0f67560e699f31577a8aca2ee1ed40446c
                                  • Instruction Fuzzy Hash: B651F371B042059FDB44DB7AD854B6EBBE6EFC9260B14802AE90ADB355DF30DC0187A4
                                  Function 06F6FABA Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca7377b1894bcf88b3ebaeee292d9bed9ff8ae61b1120df04f341a5fd04cc76a
                                  • Instruction ID: 782c0df0eabda9723f1e793cd422bbd754f2c6a92b41f8c752a8d7d1f117aaba
                                  • Opcode Fuzzy Hash: ca7377b1894bcf88b3ebaeee292d9bed9ff8ae61b1120df04f341a5fd04cc76a
                                  • Instruction Fuzzy Hash: DA51C531B506004FEB586B79D46473E76E7FFC9620B64456AE802CB3E5DE74CC028B91
                                  Function 06F6B211 Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8c866a761b86c4299cec902566f5d8a58f67255a1610534b6ea1fb82fbf9b22
                                  • Instruction ID: 08891e30096e9182e438fd4dfc00dffa14127dff797516e868cb5c8e7bc939f1
                                  • Opcode Fuzzy Hash: b8c866a761b86c4299cec902566f5d8a58f67255a1610534b6ea1fb82fbf9b22
                                  • Instruction Fuzzy Hash: 82519C30714610CFD7659F2AD49AA2EB7F6FB84305B10882AF447C7686CB74EC668B81
                                  Function 06F63983 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13a12382dbb7c1e18ab7cba0974541310f1f22878d6b519858d0d90ca1637528
                                  • Instruction ID: c1c6ff437801e0d99ac44496ae11ee1d480a19680e4e57c1457c057f0a57381a
                                  • Opcode Fuzzy Hash: 13a12382dbb7c1e18ab7cba0974541310f1f22878d6b519858d0d90ca1637528
                                  • Instruction Fuzzy Hash: D6515B72A083948FCB52DF39CC545AE7FF2EF86221B04459AE446C72A7DB349D09CB61
                                  Function 06F7ADE8 Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df92849e1e74c7a8ba7b594c0d0b60983911fc21a53ea0c61731af60d36d398b
                                  • Instruction ID: bfdc8a60a6191bda26de2eb48f955771445e2f4a5f2c61de0b2b682dc531cf1f
                                  • Opcode Fuzzy Hash: df92849e1e74c7a8ba7b594c0d0b60983911fc21a53ea0c61731af60d36d398b
                                  • Instruction Fuzzy Hash: BB615F74900309AFDB45EBA4EC596EEBB72FF89310F004059E902AB6A5CA751D05CB65
                                  Function 06F74058 Relevance: .2, Instructions: 155COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1df67b6a3493d834dee71de5814ba364cd6a51135fdab7d97b5dd24488a79796
                                  • Instruction ID: 0febd1f6fee8d2b8c95f60903af36ef2db1af61d0884f10bdda1aa1d9923b0f0
                                  • Opcode Fuzzy Hash: 1df67b6a3493d834dee71de5814ba364cd6a51135fdab7d97b5dd24488a79796
                                  • Instruction Fuzzy Hash: CD51CD75A04604CFE7A1DB29D880766B7F9FBA4311F008A2BD04787790DB75E959CB82
                                  Function 06F67760 Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1c9967f451832dfde5ea334af2059b72a46a9024e6043db24cb99b0d0c462ed
                                  • Instruction ID: f3780b6c0ad3a3565db97f6fbb936241bf02796d43eccaf903155d4c7d2e39bb
                                  • Opcode Fuzzy Hash: a1c9967f451832dfde5ea334af2059b72a46a9024e6043db24cb99b0d0c462ed
                                  • Instruction Fuzzy Hash: 8241D831B187008FD7A4AB3AD49477AB3F1EB41719F20881AF947C7AA1D768EC41C791
                                  Function 06F73BB8 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8143601d3f5cff698e3731e349bf33e99ad897cde27796983f3210de8ded6828
                                  • Instruction ID: 04571ef2128e7d23b8454a382967cadfc7578b2b7edc8a793bc78689324c371a
                                  • Opcode Fuzzy Hash: 8143601d3f5cff698e3731e349bf33e99ad897cde27796983f3210de8ded6828
                                  • Instruction Fuzzy Hash: E1416D37F0012AAFEB98A7B4441427E7AE3AFC9650B55813AD807EB340EE708D0197E5
                                  Function 06F7FA90 Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1ec0eb86191c3f7443ee098a9b0d7a075d6d486615b3605b8a6ad9cea671a18
                                  • Instruction ID: ba800bdfd8b0417ce80e8b3017a0b1dd0f98941c511f575bd28b1f7c3c1cfa4d
                                  • Opcode Fuzzy Hash: f1ec0eb86191c3f7443ee098a9b0d7a075d6d486615b3605b8a6ad9cea671a18
                                  • Instruction Fuzzy Hash: 8451F431B057418FD365DB38D454A5ABBF2EFC9310B0886AAD44A8B792DB34EC06CB91
                                  Function 06F69A6D Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42a3726f3958816f9eceb8d41578e4f7ed7e0488556b8136ab514a2c2eb8bebe
                                  • Instruction ID: b316a83d88a962ee8c64bcc0791a206b29609ffdd4f25a7ae806248132f73ac1
                                  • Opcode Fuzzy Hash: 42a3726f3958816f9eceb8d41578e4f7ed7e0488556b8136ab514a2c2eb8bebe
                                  • Instruction Fuzzy Hash: F9518A75D0024ADFDF65CFA5C889AEDBBB1FF49300F244159E802AB2A2D7759845CF50
                                  Function 06F720C0 Relevance: .1, Instructions: 136COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6207af0b4a95e55cd3f567b6b3f5f1a3bc6f7cff2696cf80b28ac1060321fe41
                                  • Instruction ID: 2ba012a9543fec98a65ef11d92147ac39acf9ba122956678e1dd8a369dbce875
                                  • Opcode Fuzzy Hash: 6207af0b4a95e55cd3f567b6b3f5f1a3bc6f7cff2696cf80b28ac1060321fe41
                                  • Instruction Fuzzy Hash: 33418032E091548FE7A457689C5067A7BB2FF81341B18C0ABD1299B345CA73CF01C7E1
                                  Function 06F7AE18 Relevance: .1, Instructions: 136COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b96a7704065f6671984dcc2bf87b0f73ef193b80f823699d36a8a6e315492c2
                                  • Instruction ID: fdda108510783fe10eb24b1be1ff6554192e2f5456adec612fa248e2fbe24b4e
                                  • Opcode Fuzzy Hash: 1b96a7704065f6671984dcc2bf87b0f73ef193b80f823699d36a8a6e315492c2
                                  • Instruction Fuzzy Hash: 9151FCB4A0020DAFDF45EFE4E8596AEBB72FF88310F108419E912677A4CE751905CFA5
                                  Function 06F63798 Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17779dc21bc48ad9ed064c21b0737e044ed1268f092deaa9e9f92f6bee5a82a6
                                  • Instruction ID: 528b599b62f0de03613f32e707755b66401cbb3a3d570c7b8557f49b3b950bd9
                                  • Opcode Fuzzy Hash: 17779dc21bc48ad9ed064c21b0737e044ed1268f092deaa9e9f92f6bee5a82a6
                                  • Instruction Fuzzy Hash: 5E417D76F001058FDB84DB79D944AAEF7F5EF88260B118169E909D7365DB30EC42CBA0
                                  Function 06F75AC9 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe01298b526fd09615a0915d03d41a9f4e32ef73ef4379be60207aaf99bc3e68
                                  • Instruction ID: ffa20f8327799d05f690b7fd91a28b8ad01416a982859c1a3069f109fdaa253f
                                  • Opcode Fuzzy Hash: fe01298b526fd09615a0915d03d41a9f4e32ef73ef4379be60207aaf99bc3e68
                                  • Instruction Fuzzy Hash: 7E415D36604208DFEB90CF69D494A6AB7F6FB48355F10852BE4078B750DE30F945CB92
                                  Function 06F6A08F Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e6f403451ac4d37aacf25a63d03bf87fca103e45313f786e52a06e5d7dddedc
                                  • Instruction ID: a8c190dc34c79736fb5f172c1df2b3ca06e8836835a1a29382bc1442cdab9f97
                                  • Opcode Fuzzy Hash: 7e6f403451ac4d37aacf25a63d03bf87fca103e45313f786e52a06e5d7dddedc
                                  • Instruction Fuzzy Hash: 2151F375A1010ADFDB50DFA1D989EAE7BB2FF48315F208118F902A7261CB75AC15DF60
                                  Function 06F7B488 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d9f928aba32701401826c8a7a1ae0cc351dd92d2819656461c1d2c9f3ac2fe2
                                  • Instruction ID: bfb0b208679f7dbc042b2e8803cc3c95750473b79a4dc84c993a254e9e774229
                                  • Opcode Fuzzy Hash: 7d9f928aba32701401826c8a7a1ae0cc351dd92d2819656461c1d2c9f3ac2fe2
                                  • Instruction Fuzzy Hash: F9412A75E10618DFCB05DFA8E8949EDBBB9FF4A310F10416AE506EB360EB309945CB50
                                  Function 06F6B0C8 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0374c683127e64f500ddc79ab038c4011828d23f713ba0ee81ed86e7b62df95a
                                  • Instruction ID: b3ecc556c97566940bba7111569049cd89a36fe84e1ad3c59973e2e2808ce9a9
                                  • Opcode Fuzzy Hash: 0374c683127e64f500ddc79ab038c4011828d23f713ba0ee81ed86e7b62df95a
                                  • Instruction Fuzzy Hash: 5F41A175B002169FDB00DF59C88466AF7B1FF89320B158696E929EB391C730EC61CBC4
                                  Function 06F65067 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e591dd0777ffb84e76fb0a1a69ed469c8e4ea79cfb23ec756de3d423670d7ea
                                  • Instruction ID: fb7d70d8b756b69083f7b0d28eff78a3a7a6fce3869a4e1dbf58f358d5d1a61d
                                  • Opcode Fuzzy Hash: 4e591dd0777ffb84e76fb0a1a69ed469c8e4ea79cfb23ec756de3d423670d7ea
                                  • Instruction Fuzzy Hash: 4541B0717002549FDB85EB39D850A6E7BE1EF89661714817AF409CF3A1EE31DC06CBA0
                                  Function 06F72620 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7612cb961ba9242618968e5435649f322977e7147c0c4972bf3e9afe57a9d57
                                  • Instruction ID: ecb9a19fe9c1e8e0612a14c621ea65f5e8b255cb9d230f6fef66ca05fbbfa55c
                                  • Opcode Fuzzy Hash: c7612cb961ba9242618968e5435649f322977e7147c0c4972bf3e9afe57a9d57
                                  • Instruction Fuzzy Hash: 23417C35E003058FEB558B74CE587AE7FB2AF89704F14442BD402E6394DF358A46CBA0
                                  Function 06F73BA8 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98db580953c6761cfa1b45baa838267cb8ab295145c10f6b4b984d2e2d875729
                                  • Instruction ID: 8bba0d0961883d4201540da08f91f5bbf07ffa86eea0028543c829292168f101
                                  • Opcode Fuzzy Hash: 98db580953c6761cfa1b45baa838267cb8ab295145c10f6b4b984d2e2d875729
                                  • Instruction Fuzzy Hash: CB313837F00025AFEBD49778442427E3AE2AFC9691B45407BD807DB781EE608D0197FA
                                  Function 06F79460 Relevance: .1, Instructions: 113COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25e3022f679e74d519c6265115fe4d08ac464eea6daf9abc3e32f9e8054a4c54
                                  • Instruction ID: 0dd4564f40c8a51a4eaa0da3d368ad958054f55d030830491b26c06d0393a1ec
                                  • Opcode Fuzzy Hash: 25e3022f679e74d519c6265115fe4d08ac464eea6daf9abc3e32f9e8054a4c54
                                  • Instruction Fuzzy Hash: 50410F70B002188FDB41EB2CE844B9E7BE6EF89321F14416AE405DB365DFB19C4ACB91
                                  Function 06F610B0 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8eadcaef58eadd6c7b41733a9ad82aa666c03841a374527e02e7f83497521274
                                  • Instruction ID: 877488afd61fff085ddd55f66c71260183302cff9b8244eb5b29e94a21a5e2ab
                                  • Opcode Fuzzy Hash: 8eadcaef58eadd6c7b41733a9ad82aa666c03841a374527e02e7f83497521274
                                  • Instruction Fuzzy Hash: 1E41B171D00208AFDB65DB58DC54BEEB7B6EF90321F004929D112976D0DF386A89CBE1
                                  Function 06F7EA50 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d40dccfc6c5a97f2901935f300aad625aa4ce278878148bdf9cbe447d5654bf1
                                  • Instruction ID: b1fed9e26f70a7a194bb6c22b430c3edc7b2063660b3e50fd7515218c67a24b3
                                  • Opcode Fuzzy Hash: d40dccfc6c5a97f2901935f300aad625aa4ce278878148bdf9cbe447d5654bf1
                                  • Instruction Fuzzy Hash: E631AF75F012059FDB50CB69D940AAAFBFAFFC4210B19C1ABD908C7651D730E812C791
                                  Function 06F7517C Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c8ee97e4efd93a70a44d54660c7f0c091e4c9f4d39af9d11d13afe779366da4
                                  • Instruction ID: feabe0568c8ed1083c7d9f8885cc666b1d5a873ab42959521c215ee86ae4ebcc
                                  • Opcode Fuzzy Hash: 9c8ee97e4efd93a70a44d54660c7f0c091e4c9f4d39af9d11d13afe779366da4
                                  • Instruction Fuzzy Hash: 7E41BE32E04209CFEB80DFA4CC90AA9B3B2FF44306F168A67D516BB141DF71A945CB91
                                  Function 06F610C0 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e672fdebdb3abd9787220c879996a5c53d812fdc367a409a80b1efcecdfe323e
                                  • Instruction ID: 64495e4e92ccf86ba5431c8899dc44eb999c7fc66604f10d1b7d35ca4fc53f10
                                  • Opcode Fuzzy Hash: e672fdebdb3abd9787220c879996a5c53d812fdc367a409a80b1efcecdfe323e
                                  • Instruction Fuzzy Hash: DF41B071A00208AFDB65DB58DC54BFEB7B6EF90321F008928D112976D0CF346A89CBE1
                                  Function 06F639B0 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9af2ffa9004e4a13ab5bf869c634daedbae00222eee6fc0af580fc430efe74fe
                                  • Instruction ID: 05d65a369459060088ac39b2bbdf680db4961074cdd7cc065479e5d562f3551f
                                  • Opcode Fuzzy Hash: 9af2ffa9004e4a13ab5bf869c634daedbae00222eee6fc0af580fc430efe74fe
                                  • Instruction Fuzzy Hash: 71411370B002549FCB50DF29C888A6EBFF6BF89210B04446DE54AC73A2DB74DC09CBA1
                                  Function 06F793E0 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6db4fc5e52f0d4b4bf6ddbe90f0fa50946128ab61d7c51998c7f470a97b69e1a
                                  • Instruction ID: e43e1b65368eefd491190b27c2896005e8096ee71d9a9c82fa2043f877e7ba68
                                  • Opcode Fuzzy Hash: 6db4fc5e52f0d4b4bf6ddbe90f0fa50946128ab61d7c51998c7f470a97b69e1a
                                  • Instruction Fuzzy Hash: 84314435E153649FCB229B78D8657DA3FF1AF49214F19409BD440EB3A2DA608C08CBA6
                                  Function 06F62020 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ea1a5e3f81c47f411bee00594c2c29577159c54eba1318da33871712a1b42fc1
                                  • Instruction ID: 055eb3f232f8bdae4a9efc222f22d98237cf47412cc33dbfcbc0759850ce83d2
                                  • Opcode Fuzzy Hash: ea1a5e3f81c47f411bee00594c2c29577159c54eba1318da33871712a1b42fc1
                                  • Instruction Fuzzy Hash: EA416D74E01649DFCB14CFA9C95499EBBB2BF89300F248129E915AB360DB30E946CB90
                                  Function 06F6B888 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a0c2df4d823614c1a63861a6d00411108d4bd23e51bfc866def87c9c787c5c4c
                                  • Instruction ID: 8784d15fe264846682e9961b595888e6bf0d95e44133bab5b3c6ef3272dade56
                                  • Opcode Fuzzy Hash: a0c2df4d823614c1a63861a6d00411108d4bd23e51bfc866def87c9c787c5c4c
                                  • Instruction Fuzzy Hash: E831A2359102248BCB689F29D8895BD7BF5AF55309F10886AF48BD7340DE74ADC8CB90
                                  Function 06F6D988 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec709711e5917f4822cb8e89aee1e6657f1bbbd923add942a0aa09bbbda376f0
                                  • Instruction ID: 9a763ece69ab4ad6d9801bc28d7e1bbff2aed4e6cf7b9f0155c49f9544d015ab
                                  • Opcode Fuzzy Hash: ec709711e5917f4822cb8e89aee1e6657f1bbbd923add942a0aa09bbbda376f0
                                  • Instruction Fuzzy Hash: 4E219C71B012149FDB48DB6ED4A4B6EB7E6AFCC660B108069E80ACB355DE34DC41CB94
                                  Function 06F73F58 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4128c0e156400b3aa0172177780a001381e50f658a4b8f59fc128dc696daee70
                                  • Instruction ID: f48f60733c36d8ea7eec9f59df94f9010d8fb20ffd730cf7adf9d6df88b0b559
                                  • Opcode Fuzzy Hash: 4128c0e156400b3aa0172177780a001381e50f658a4b8f59fc128dc696daee70
                                  • Instruction Fuzzy Hash: C721C233B1C605BFF7E8892D9C447EA7AE9EB543D4F04053BE456C62C0E662D884E791
                                  Function 06F60DAB Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84ea31202f36f8a3f9a6e6da5f81665f50ca247b2ecb86745bb11f8347ce90fc
                                  • Instruction ID: 335e60fed87c1cb8254db05515f402c8dfe86ad9d343f8657fa77dd49a0579d3
                                  • Opcode Fuzzy Hash: 84ea31202f36f8a3f9a6e6da5f81665f50ca247b2ecb86745bb11f8347ce90fc
                                  • Instruction Fuzzy Hash: 5F31BB71F012018FDB45DB69D890AAEBBB2EF89310B24806AE8059B354DF35EC01CBA0
                                  Function 06F71AF0 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5cb2cd20b500d2ea0b71e5301364350c3ecd1bd58d55051ae93ccf6f6adeafd
                                  • Instruction ID: 75581b20dde5f1bf17c30263204924d51f956953c5a2405c00a0edc1475e8999
                                  • Opcode Fuzzy Hash: c5cb2cd20b500d2ea0b71e5301364350c3ecd1bd58d55051ae93ccf6f6adeafd
                                  • Instruction Fuzzy Hash: B0319271A00B05CFEBA0CF69D84426ABBF1BB84315F14862AD05AD7790EB30F949CF91
                                  Function 06F60DB8 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 272e2e773deeac96598a2b8d2d70b9e54289164804b422484ee644b71775c259
                                  • Instruction ID: 58a462f832af93b5f82cabcf04c25ce10b075f48f3d2f00c9c19f6292c9b97de
                                  • Opcode Fuzzy Hash: 272e2e773deeac96598a2b8d2d70b9e54289164804b422484ee644b71775c259
                                  • Instruction Fuzzy Hash: B8217A75F012158FDB55DB69D494AAEBBB2EF88310B208069E8059B354DF35EC02CBE0
                                  Function 06F78288 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 881da4ae596b4fe28e0d4d2edeef1e5939f75e7b0cb8900620ea35c331c2de7a
                                  • Instruction ID: 1798bd82add9073d05c9e74e47f2adc78c036058dd91821b1b21dac3794869cf
                                  • Opcode Fuzzy Hash: 881da4ae596b4fe28e0d4d2edeef1e5939f75e7b0cb8900620ea35c331c2de7a
                                  • Instruction Fuzzy Hash: AB215E32B049108FE794DB7DD84C97A77E5AF886A670144BBE41BCB760DA21DC00CBA1
                                  Function 06F710D0 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9652824bec3d294056f0eca1804152848f0dc2daf9a73f69ee8d39fae0e9b36
                                  • Instruction ID: 0bd0df20829915cbb8c3eb4fe57675cf4b8c3b7623583bf5ecf5e05e600cc1b2
                                  • Opcode Fuzzy Hash: e9652824bec3d294056f0eca1804152848f0dc2daf9a73f69ee8d39fae0e9b36
                                  • Instruction Fuzzy Hash: 24219332B545108FEB94DB79D85097973EDAF9865170984ABE40BCF370DA51DC048B90
                                  Function 06F73012 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68cd5656e5bfd2dd31f7349839c7b051ed7bed8a83074d0df5a1c341fe0d87cf
                                  • Instruction ID: 9c153224d7f5ded7f9c24c08149dc4c0268ebc5a520907fc6227534a96dec56d
                                  • Opcode Fuzzy Hash: 68cd5656e5bfd2dd31f7349839c7b051ed7bed8a83074d0df5a1c341fe0d87cf
                                  • Instruction Fuzzy Hash: 8721D477B04204EFDB40CB68C844BAAB7B6FF44229F1011A7E906D7361D631DD08DBA2
                                  Function 06F73920 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46d8dd6f297742f852648d30fc4580800c1a1d746f64b95ac2a71b2298b0a08b
                                  • Instruction ID: 5dbff947e085ce028082ee67fdfdc761a7973a1f31221d9f787ab45562585c7d
                                  • Opcode Fuzzy Hash: 46d8dd6f297742f852648d30fc4580800c1a1d746f64b95ac2a71b2298b0a08b
                                  • Instruction Fuzzy Hash: 55312876B00215DFDB44DFA8C559BADB7B2BF88704F20006AE406EB3A5CB359D06DB90
                                  Function 06F67920 Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c9615d26664ea0f88cb431b00d062af921983222e1e22a6fa0e1f008ea0ac9a
                                  • Instruction ID: f0cf69dd3810752f4cffc2f20e78a0605beb8825fd3e4cee6f2e5dda3758b006
                                  • Opcode Fuzzy Hash: 7c9615d26664ea0f88cb431b00d062af921983222e1e22a6fa0e1f008ea0ac9a
                                  • Instruction Fuzzy Hash: 09218E35B14B119FC724DF5AC48492AF7F6FF88718B11861AE54687724DBB0E851CB90
                                  Function 00D5D0EC Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1594942476.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d5d000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4576c4994692c90b8b7a4af2e92391ae92e4284d87f3154153096a13a3c87787
                                  • Instruction ID: a2962a5cec3bff8cf5d74daf33f2897d756e0a698cdb51dbaf5ecc65d8a45690
                                  • Opcode Fuzzy Hash: 4576c4994692c90b8b7a4af2e92391ae92e4284d87f3154153096a13a3c87787
                                  • Instruction Fuzzy Hash: 0321F1B1504704EFDF25DF10D980F26BBA6FB94325F248569EC490B256C336D85ACAB2
                                  Function 06F7824D Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 246f129dc84f17042cfead0c1f2db4942831263b8333d7316980201adc1b05cb
                                  • Instruction ID: 24941b07daa27b64d3311119f9dbe006ffdd0763e6a1d9ea8b2b3d7147466291
                                  • Opcode Fuzzy Hash: 246f129dc84f17042cfead0c1f2db4942831263b8333d7316980201adc1b05cb
                                  • Instruction Fuzzy Hash: F511D632608A008FE7858B79DD1D9763BB5AF866A230640B7E426CB272E620CC00C7B1
                                  Function 06F7C7F0 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a983a2117d9a24f011320f7f3cb0d481fe77c1861ca81ca90746dbca6ed86d1
                                  • Instruction ID: 66f9f8db7c41d04fa4014c042f8066594c236e43c0ffc5c0c7f3df8cbfe0b27f
                                  • Opcode Fuzzy Hash: 7a983a2117d9a24f011320f7f3cb0d481fe77c1861ca81ca90746dbca6ed86d1
                                  • Instruction Fuzzy Hash: 66216D74E083499FDB41DFB8C8506ADBFF1AF4A210F0440EAD445AB392D7349E44CBA2
                                  Function 06F7EF28 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93469c63edf2278bd4a5667e746491449f977308893ea15d0232da4962dae98a
                                  • Instruction ID: 54cb0fe53d7337e8e0f973b2cae6b8b863c499f71e5a86a97d76b444530c6036
                                  • Opcode Fuzzy Hash: 93469c63edf2278bd4a5667e746491449f977308893ea15d0232da4962dae98a
                                  • Instruction Fuzzy Hash: ED1160767142004FE754CA6DE890A6BB3EADFC9260714847FE90ACBB55EE31EC018754
                                  Function 00D7D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595021520.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d7d000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d8da17a7b23cfe2c5db645c790808dbe1521a9c65d262ece3563db204a6f6cd
                                  • Instruction ID: 5fb715246185d164b06693f12ae6593bcf08bd97124067ad9ee761f138288aeb
                                  • Opcode Fuzzy Hash: 7d8da17a7b23cfe2c5db645c790808dbe1521a9c65d262ece3563db204a6f6cd
                                  • Instruction Fuzzy Hash: BC21D075604204EFDB14DF20D984B26BBB6EF84314F24C56DE84E4B286D336D847CA72
                                  Function 06F60988 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20427b8c8353bf67e55d95dd402e806a29511cfae391764a188ea5ab10cc5613
                                  • Instruction ID: 11b8f67edf8d366d713072529ad911e99a47a5d33674fd910ebaa16685285fe8
                                  • Opcode Fuzzy Hash: 20427b8c8353bf67e55d95dd402e806a29511cfae391764a188ea5ab10cc5613
                                  • Instruction Fuzzy Hash: 0D117832B086489FD755EBB9D8242AC3BE2DFC2220B1440B6E808D7392DE388D068791
                                  Function 06F7E8F0 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa627b5a9fc5a221eeb1d6c13f2c4e86c638566e966d25e89ccb43a51b80c388
                                  • Instruction ID: 259835443b6b34409902f6dbd9287e7b2ae5d1ee97c1243c94b78f0bea85be01
                                  • Opcode Fuzzy Hash: aa627b5a9fc5a221eeb1d6c13f2c4e86c638566e966d25e89ccb43a51b80c388
                                  • Instruction Fuzzy Hash: 731170337042014FA7549AAEA894A6BF7EAEFC4164314807FE50DC7B59EE61EC014790
                                  Function 06F73040 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f254f6d8cae7e1265eb2a435d1c84f4493cdab773a9a5cd8578a52dec3c6525
                                  • Instruction ID: b82d69998b6d8ef6a5551316a2c59c7d6f1c9ea5822492dcd21854c0950a150a
                                  • Opcode Fuzzy Hash: 7f254f6d8cae7e1265eb2a435d1c84f4493cdab773a9a5cd8578a52dec3c6525
                                  • Instruction Fuzzy Hash: 1D11B137B04204EFDB40DF69C84496EBBF5FF88218B1000AAE50797361CA31DD04DBA1
                                  Function 06F671AE Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a12ed843780a4376ab2cb347b3e44628a3feb642f668af941ce588f928d26e76
                                  • Instruction ID: 5ceafef9129e1bb05e9bf482e0dfa30dc5c54ca1949e5154248d6ff367cdf4a7
                                  • Opcode Fuzzy Hash: a12ed843780a4376ab2cb347b3e44628a3feb642f668af941ce588f928d26e76
                                  • Instruction Fuzzy Hash: DE21E571F0010ADFDF45EF96D844AAE7BB2BF88354B108015F91197264E7349951DFA0
                                  Function 00D7D005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595021520.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d7d000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd87387dbce3a8c3466007cd2ce17b6230ff26bb706066d3d9b9e1a442c892a6
                                  • Instruction ID: 193fa952b325b2c219ce2d12f854efdf68e4f09a50dc3aa73aa27e43023f09a3
                                  • Opcode Fuzzy Hash: fd87387dbce3a8c3466007cd2ce17b6230ff26bb706066d3d9b9e1a442c892a6
                                  • Instruction Fuzzy Hash: 1B214F755093808FDB12CF24D994715BF72EF46214F28C5EAD8498B6A7D33A980ACB62
                                  Function 06F664A0 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb54e367a00541bc28561596bef68d79338ee197ffd85866f49cbb9b31098821
                                  • Instruction ID: 18b19517a28ce6b26766280aed168045749e9dd88d96e65764f7415f550be509
                                  • Opcode Fuzzy Hash: bb54e367a00541bc28561596bef68d79338ee197ffd85866f49cbb9b31098821
                                  • Instruction Fuzzy Hash: 0311B236B007069FDB14CA5BD891A6AF7A6BB88218714842DF906D7745E770FC05CBA2
                                  Function 06F78128 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7775beda04fe6e3451bee8a2e5bf3b0dc1bbfc58ee1ae2f7681749965efc7e5
                                  • Instruction ID: 3c3db607d7679763f8906fb5aaea249eee9ba79780c46b447117d63abef62f66
                                  • Opcode Fuzzy Hash: a7775beda04fe6e3451bee8a2e5bf3b0dc1bbfc58ee1ae2f7681749965efc7e5
                                  • Instruction Fuzzy Hash: 1E11C231B112545BDB05ABA988A87FF6AEB7FC9650F24402AE401F7380CDB44C068BE1
                                  Function 06F66608 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43305073a4bd9f424af970eb51690f044b6a872dea4bd9682e5be39078e6b124
                                  • Instruction ID: 24758f3b8a05a3efc1a7ba23bfe53a8da224b40c4f7dd419cb2e8b9eabf1b548
                                  • Opcode Fuzzy Hash: 43305073a4bd9f424af970eb51690f044b6a872dea4bd9682e5be39078e6b124
                                  • Instruction Fuzzy Hash: 7011A271214A24CFE7581F16F25936A7BB9BB85708F10422AF003CE644CF76890A8BC3
                                  Function 06F665F8 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc35e972b1c38aee049c27b37c642f84df0098590bcb5f4b35d4e655a26b0676
                                  • Instruction ID: dc2a9ae6254ebf72259f52175fe09f56dcfeb4a670d8d270a641aa59d414b380
                                  • Opcode Fuzzy Hash: cc35e972b1c38aee049c27b37c642f84df0098590bcb5f4b35d4e655a26b0676
                                  • Instruction Fuzzy Hash: 2B11D371214A24CFE7644F15F25936A7BB5BB55709F00422BF007CF689CB7689098BD3
                                  Function 06F78278 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8983b9f7ba9c47f9f98cda11492ab18b3d6cf488fa705a6449798ee739c36938
                                  • Instruction ID: 94e98d3140a2c610b18e34895910cab1e368018acddb1a08a1395a4627a0857b
                                  • Opcode Fuzzy Hash: 8983b9f7ba9c47f9f98cda11492ab18b3d6cf488fa705a6449798ee739c36938
                                  • Instruction Fuzzy Hash: 1D01A5627089108FE7948A68D84CD777BE5AF856A230180BBE827D7271E620CC01C7B1
                                  Function 06F7EE99 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54967d7d72e592a5afeb22226f3539a931069aba55e216dfbbebe79256c64632
                                  • Instruction ID: f6bdf80ab0c2471dce7c6254b9560874977d138dbac014d144237f10af44f84e
                                  • Opcode Fuzzy Hash: 54967d7d72e592a5afeb22226f3539a931069aba55e216dfbbebe79256c64632
                                  • Instruction Fuzzy Hash: CB0124B3B096591FD761C66DA84095BFBE9EF8517030581ABE948CB341EB30EC0083E5
                                  Function 06F79590 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd69691de403f9bb92d7dd26cf5251ea4acd3eb8c26762c0bbbf26208a71976a
                                  • Instruction ID: 73025ce1e9a99f8ea112391c32d997ef632fd4eab7fa7b01d98445f778c0ce38
                                  • Opcode Fuzzy Hash: bd69691de403f9bb92d7dd26cf5251ea4acd3eb8c26762c0bbbf26208a71976a
                                  • Instruction Fuzzy Hash: 9F11E3B15023559FDB42EB28FC41AD637A6EB867213081653F004CB22AD7A19D0ACBD2
                                  Function 06F7C818 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45483dab0deadab0c8394868878eefbc66dae095556e0cbdb33700d71c3e340a
                                  • Instruction ID: 72393ea2daa705d5bd87dca1d6feb9ba07ec3a22cf892ae326eaa763b9077916
                                  • Opcode Fuzzy Hash: 45483dab0deadab0c8394868878eefbc66dae095556e0cbdb33700d71c3e340a
                                  • Instruction Fuzzy Hash: B421B874E0020DDFDB44DFA8C581AAEBBF2FF89210F1044A9D955A7751DB34AA40CF91
                                  Function 00D5D0E7 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1594942476.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d5d000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                  • Instruction ID: bef32973db8bf69ccc66b51d6581eb9174e12c40bb41520816a3099b44889df5
                                  • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                                  • Instruction Fuzzy Hash: 7D119D76504640CFDF16CF10D9C4B16BF62FB94314F2885A9DC490A256C336D85ACBA2
                                  Function 06F7E998 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c13b644877c12a7d24937989e140a1010d773647ddb72f3356be975aa896e7d
                                  • Instruction ID: ad8e98c520b8f772e47bdf2ddc6eda3fd14c6988dab91b9792ec76cd0e43d507
                                  • Opcode Fuzzy Hash: 8c13b644877c12a7d24937989e140a1010d773647ddb72f3356be975aa896e7d
                                  • Instruction Fuzzy Hash: 821133B0D0120DEFDB81EFB8DC516AEBBB5EF85200F50459AD815A7282DA315B05DB51
                                  Function 06F710C0 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c305855742cf171b7199100effb10723a9f452ca24da9d3c0763fb44ee5f565
                                  • Instruction ID: ca6b711649febf146c30d16fec04d033590f07db12be265a69685b12dd771116
                                  • Opcode Fuzzy Hash: 0c305855742cf171b7199100effb10723a9f452ca24da9d3c0763fb44ee5f565
                                  • Instruction Fuzzy Hash: AC01D672704501CFF7D4CA29D955A3973FDAB94651709805BE807CF361DA60DC098B91
                                  Function 06F78E62 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbe0c46700dad181d3d32875a837e15dca4a359bcacd4a8f60d5ec4da5d3f006
                                  • Instruction ID: dcb7d781fda72cae0e18fa072fccf84cec54de2211dc2327e4f0b07ec3176648
                                  • Opcode Fuzzy Hash: fbe0c46700dad181d3d32875a837e15dca4a359bcacd4a8f60d5ec4da5d3f006
                                  • Instruction Fuzzy Hash: 76012832A0A2485FD7458688D89CFEBBBA9DB882A0B144077F81CD7310DB619941C7A5
                                  Function 06F7FC45 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c9c3bc9d733f3b0db57b643b374111d65d2ad4788098e66cc671fc76f0a4860
                                  • Instruction ID: 454c5750cb0d14d308c36572ada35b2358f3a594545232c998228a193596acdd
                                  • Opcode Fuzzy Hash: 1c9c3bc9d733f3b0db57b643b374111d65d2ad4788098e66cc671fc76f0a4860
                                  • Instruction Fuzzy Hash: 4E11E572A0A7929FC3528B64DC10852BFB1AF4722631945EBD8448F793D732DC43C791
                                  Function 06F73DF8 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9cc058e1e97d6ca0dd1a3428ba1418a5c3b416c81dd6adec6642d3dbc96ab7df
                                  • Instruction ID: 1b4e141332afd04a007e9afb8f90009efa00cc40ba1c8cb34ec88a73af2f2432
                                  • Opcode Fuzzy Hash: 9cc058e1e97d6ca0dd1a3428ba1418a5c3b416c81dd6adec6642d3dbc96ab7df
                                  • Instruction Fuzzy Hash: CA01F737B0810DBFD7D45659AC15B3EB6AAEB8C760F10442BF906D7390DE30DC0996A1
                                  Function 06F73DE8 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8fcad08de91ff0885b68fa8d339facf126f6941bc818df1282ab08168eda4c23
                                  • Instruction ID: e7efa9f38f101b9de4be7b98d5ce14011decc4b649d1438c8722530ce39455df
                                  • Opcode Fuzzy Hash: 8fcad08de91ff0885b68fa8d339facf126f6941bc818df1282ab08168eda4c23
                                  • Instruction Fuzzy Hash: F2012477B0410CBFDBD456189C55B7E76AAEB8C760F00042AFC06D3381DE30DC09AAA1
                                  Function 06F78138 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8cea2a2d8130ff4f3c280becd5c587d13303ad9f795249d259ae43aaefd3649d
                                  • Instruction ID: f0fc79205270de291a0bf942eb11f17d79046d856ca90237992c1aad05e3969d
                                  • Opcode Fuzzy Hash: 8cea2a2d8130ff4f3c280becd5c587d13303ad9f795249d259ae43aaefd3649d
                                  • Instruction Fuzzy Hash: 48019E31B102594BDB05BBA984A83BF7AEB7FCD640F20402AD412F7380CEB44C068BE1
                                  Function 06F739C9 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec22f07dc51341b9d128770a21bb8a6a94a67b8a256e58f5010a6b7341974607
                                  • Instruction ID: 1e1bfb5f78eec76ce27425e45e1e2b6d0d74356bb95892b872c7bad973a8a629
                                  • Opcode Fuzzy Hash: ec22f07dc51341b9d128770a21bb8a6a94a67b8a256e58f5010a6b7341974607
                                  • Instruction Fuzzy Hash: 6B117C3BB50145EFEB44CBA8D556BAC77B1EB48304F200166E102EB398DA21AD01DB41
                                  Function 06F60EB8 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49796db19b68e99424f346f38e96269d59aaeed33fb1fb5ff299ca6123c8fbb5
                                  • Instruction ID: f149f844b36e0c2d7e02a6882342233e9c207698a8b60c8e8c629bf1d7528ce0
                                  • Opcode Fuzzy Hash: 49796db19b68e99424f346f38e96269d59aaeed33fb1fb5ff299ca6123c8fbb5
                                  • Instruction Fuzzy Hash: 7FF081323412046FD705AE9EAC84CAABB5AFFC57A4B504039FD099B391CA72DC09D7B0
                                  Function 06F724D8 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c1b2d2fb8406f1d6864015b786ad9e525a4d8492595e75977c423d158ebac61
                                  • Instruction ID: 934701cccba2636109f9c49c06354c5080cb117f99a43c30c659946a695810bd
                                  • Opcode Fuzzy Hash: 4c1b2d2fb8406f1d6864015b786ad9e525a4d8492595e75977c423d158ebac61
                                  • Instruction Fuzzy Hash: 3A113932A04219DFDF40CB98E8A4BEDB7F1FB48314F104466E406BB2A5CB749E45CBA1
                                  Function 06F7E070 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 413ae7076990a83086afe01d92365a1fc606dc10447115819776b160c9f0e682
                                  • Instruction ID: 08a45a021995e01c7541b5cb850e147407c6641d85a18869ba64675fb61e6290
                                  • Opcode Fuzzy Hash: 413ae7076990a83086afe01d92365a1fc606dc10447115819776b160c9f0e682
                                  • Instruction Fuzzy Hash: 1A01B175B00B01DFD721CB68E844AAAB7B1FFC4321704866FD65A8FA11CB36E810CB91
                                  Function 06F72238 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55bcc798425952d3836c080c2b6a8dcf8c49f6687ac8400b9db595890e4cf3ef
                                  • Instruction ID: a46b2e2b2b3dae2ecf4bae52cbef2c5cb8418a75acaa43a6af36fe9178b40162
                                  • Opcode Fuzzy Hash: 55bcc798425952d3836c080c2b6a8dcf8c49f6687ac8400b9db595890e4cf3ef
                                  • Instruction Fuzzy Hash: 40118471524306DFF7549B64C914BAB7AF1AF48304F10446ED401A7684DF75CA45DBF2
                                  Function 06F7EF19 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72523d822be96040234ad6b079497c36b838f8ad974561178e3f62d5573591ba
                                  • Instruction ID: 4b501ab6000e3dfaa03f03064c326476ab7f4b6d184adaa45280707140509b44
                                  • Opcode Fuzzy Hash: 72523d822be96040234ad6b079497c36b838f8ad974561178e3f62d5573591ba
                                  • Instruction Fuzzy Hash: 9301D672B053405FE754CA6DE880BABBBE9DF8926170484BBE948CB751DB31EC00C391
                                  Function 06F7E9A8 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1303d1551a6c1e98ca92cc1283dc470aa7e24cfba8318895f5a48b90bc07553
                                  • Instruction ID: 09a0a8075e232a0f38a3a5ad686a5178ab793511106c584e0ba034ac0e239f97
                                  • Opcode Fuzzy Hash: b1303d1551a6c1e98ca92cc1283dc470aa7e24cfba8318895f5a48b90bc07553
                                  • Instruction Fuzzy Hash: 0E113CB0E0020DFFCF80EFACDC519AEB7B6EF84600B508959D815A7281DA316B059BA0
                                  Function 06F79F60 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df24304c0e5bd6dfe671479beecef3a17b4a4f761ab0549f149a4a49aa0ebb4a
                                  • Instruction ID: 7a08a7745499ae5058a0e6b0919a940704dd7716de027510f80c9d2b1b87801d
                                  • Opcode Fuzzy Hash: df24304c0e5bd6dfe671479beecef3a17b4a4f761ab0549f149a4a49aa0ebb4a
                                  • Instruction Fuzzy Hash: 2301F230B043098FD755AB2CD854A6E77E3DFCA260358456EE409CB391DF20DC068B92
                                  Function 06F60448 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f378e9dc04995d47cc0957d551ae3de768ed8fa3847311b9c588dbe19437805
                                  • Instruction ID: 21e8605161a9286175139989e3ae026e352289ccc1897e7c5c8959c10061ab9a
                                  • Opcode Fuzzy Hash: 1f378e9dc04995d47cc0957d551ae3de768ed8fa3847311b9c588dbe19437805
                                  • Instruction Fuzzy Hash: A4F09032B042214F57A48A6EBD8492FBBAEFBC8625324053BF509C3360DFB1CC0187A4
                                  Function 06F7FC60 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb2f2e57bddb4bf86e99b5c92d4b876124582341fb6e694b638a5df151470aca
                                  • Instruction ID: 55b9fb8aa6ce2639c12f5100fbde0c0e1440543bf45f7fd26fc9bb177e778a94
                                  • Opcode Fuzzy Hash: bb2f2e57bddb4bf86e99b5c92d4b876124582341fb6e694b638a5df151470aca
                                  • Instruction Fuzzy Hash: 5A018136B016119BC7519A69E800856B7A6EFC972531489BBED09CB744CB32EC43CBD0
                                  Function 06F724C9 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c4c21eebbaad505e6ec0e75d217c0b69efcc5c9a7e319ca0d623876f2c42b420
                                  • Instruction ID: 21aa213554a86d3b49129682f33b648f803d5b99c14ff9f18f52733dbf25042b
                                  • Opcode Fuzzy Hash: c4c21eebbaad505e6ec0e75d217c0b69efcc5c9a7e319ca0d623876f2c42b420
                                  • Instruction Fuzzy Hash: 3C016D32904218CFDF44CF58D9A5BEDB7F1BB48310F14845AD402B7295CB749E45CBA0
                                  Function 06F7B049 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c40d0316325aa7bb37debf0d3fa5fd266d8e1661abb5edfde2600ac31c7c08fe
                                  • Instruction ID: 6468873ffdacad0303af806eb7f5df04b43690f942699ee2d31ea39a91f1aa6c
                                  • Opcode Fuzzy Hash: c40d0316325aa7bb37debf0d3fa5fd266d8e1661abb5edfde2600ac31c7c08fe
                                  • Instruction Fuzzy Hash: 630147703043846BD7529B38981825DBFA1FFC6320708451DE649CBAC1CFA1A80C87E1
                                  Function 06F7A3E0 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a4fef3c88dc05bdd4d1750da3a088a630e4129d6b7b6ccd61c1d32051bdcbc1
                                  • Instruction ID: 48840a75b635dcfd53aca4e545e0dc6955ea9df5ca4288c76771393aab023c41
                                  • Opcode Fuzzy Hash: 3a4fef3c88dc05bdd4d1750da3a088a630e4129d6b7b6ccd61c1d32051bdcbc1
                                  • Instruction Fuzzy Hash: 05F0C236B052405FD740CB5CD858A8ABBE6AFCE311719809BF549CB3A6DB76CC018B91
                                  Function 06F62208 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63d25c92965e9099b77cfa87502fdce790c8b8dac7dff196ae4bc63ad65c043f
                                  • Instruction ID: cc2ee053a4a4eebba17a9e056de27318689b897d66a02814b2f2ca38733b2a8b
                                  • Opcode Fuzzy Hash: 63d25c92965e9099b77cfa87502fdce790c8b8dac7dff196ae4bc63ad65c043f
                                  • Instruction Fuzzy Hash: 1E01DBB5F102185BD7019B599C407AD73B3EBC4761F148055EA02AB784DB715D0A87D0
                                  Function 06F7C0F8 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95762b553ecbae311faaeea0ce5362582835ea15a8318aa6b88bc74950a2d10a
                                  • Instruction ID: f5296fb3f9038d0144412a5607ea855694fd84582a07c6a4bd46572b786778ca
                                  • Opcode Fuzzy Hash: 95762b553ecbae311faaeea0ce5362582835ea15a8318aa6b88bc74950a2d10a
                                  • Instruction Fuzzy Hash: 28F0AC32F0D3948FD7064BB888541593FA2DF8355039C80EED4488F296CE568D07C7D2
                                  Function 06F62187 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43ab8ae79b42f9a6727a4afe8f756fca71cf253418e92696b04d1629c7936e5d
                                  • Instruction ID: 7d2ebd4f0c01637fd4004d672988968aa4d8e08b06b266fb7e9ab023f6879f0a
                                  • Opcode Fuzzy Hash: 43ab8ae79b42f9a6727a4afe8f756fca71cf253418e92696b04d1629c7936e5d
                                  • Instruction Fuzzy Hash: 9AF02DB6F103185BCB019A598C006AD7373FBC4761F148055EA02AB784DF715D0BC7E0
                                  Function 06F78EC4 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 676dd83f5198883d9544842ba0546efeb6496cc78a516378b3dc9be1642bfc96
                                  • Instruction ID: 3535da714bbf9a3c709f38ad6d34e17ada9ea0f2883310b803833dbb6b9fc0f1
                                  • Opcode Fuzzy Hash: 676dd83f5198883d9544842ba0546efeb6496cc78a516378b3dc9be1642bfc96
                                  • Instruction Fuzzy Hash: 2DF046B3F0A2808FE34643A4A46C3B97BA09B922A5F0900EBC4458F1A1DB178802C711
                                  Function 06F7394B Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11a09a594ddf3dc53d3356aec593bc305efaa2fd230645801f1debe878513f0a
                                  • Instruction ID: 26d8ef8cd0ad63f3d63a9b3869142530c54b382edc15f549b461ba8832445ff4
                                  • Opcode Fuzzy Hash: 11a09a594ddf3dc53d3356aec593bc305efaa2fd230645801f1debe878513f0a
                                  • Instruction Fuzzy Hash: 7F012875B00205DFDB45DBA4C555BAEBBB2BF88300F200066D402DB369DF748C05DB51
                                  Function 06F6D7B7 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef4407d268a1c4428e2fadb88c75e64891f1e97eade3294a4ea53c4e738a1807
                                  • Instruction ID: 82355135e80415920a5c6de02eb4e666186a52ef19ab098a751dd11f2da8192f
                                  • Opcode Fuzzy Hash: ef4407d268a1c4428e2fadb88c75e64891f1e97eade3294a4ea53c4e738a1807
                                  • Instruction Fuzzy Hash: B2012875D0031AEFCB40DFA5D941AAEBBF1FF48325B10C52AE559A7610D335AA12CF90
                                  Function 06F60437 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38f0e617c4e34df7681d60d0006acfb979bc630382080400f35131e2ec595559
                                  • Instruction ID: 5ae837c5617d9037a185653d8893398074bdd753641314e1f9eb414e8af309b0
                                  • Opcode Fuzzy Hash: 38f0e617c4e34df7681d60d0006acfb979bc630382080400f35131e2ec595559
                                  • Instruction Fuzzy Hash: 72F02472B003110FD7A18F2DDD84A6A7BEDFF89510324006BF108C3362EA70CC0187A0
                                  Function 06F72886 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e0171b2535dbfd8adda0c5a6c0ac7d0bb138636b98a595806596a101831d1e7
                                  • Instruction ID: 2c6945f7d3dbd65754b0e51599f02a5a9d549d720073f824ecfa112ab094fa31
                                  • Opcode Fuzzy Hash: 0e0171b2535dbfd8adda0c5a6c0ac7d0bb138636b98a595806596a101831d1e7
                                  • Instruction Fuzzy Hash: CB01D034E00208CFDB44DFB4E5996ADBBF1BF48305F50842AE406EB2A4DB399946CF50
                                  Function 06F72868 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e0171b2535dbfd8adda0c5a6c0ac7d0bb138636b98a595806596a101831d1e7
                                  • Instruction ID: 2c6945f7d3dbd65754b0e51599f02a5a9d549d720073f824ecfa112ab094fa31
                                  • Opcode Fuzzy Hash: 0e0171b2535dbfd8adda0c5a6c0ac7d0bb138636b98a595806596a101831d1e7
                                  • Instruction Fuzzy Hash: CB01D034E00208CFDB44DFB4E5996ADBBF1BF48305F50842AE406EB2A4DB399946CF50
                                  Function 06F79F50 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9119a285d64e03e5e38ec1265286cd56d31819cbf14687673b053f292e8c5177
                                  • Instruction ID: 3081d6c0581de620f9e995e77f05ffb2d32f6485b1fb4e0735157cf8c165e8cf
                                  • Opcode Fuzzy Hash: 9119a285d64e03e5e38ec1265286cd56d31819cbf14687673b053f292e8c5177
                                  • Instruction Fuzzy Hash: B1F0E231701306AFCB52DB68DC64EEA77E6DFC9161309046AF485CB761EB61DD068BE0
                                  Function 06F7B138 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b69e14ead2c30fa6de9eb1545a624514164442520282dc2fc934a294c6744fbe
                                  • Instruction ID: 3e6a9280b1a00482c39d5cfd199b9238fbe9ac1f0e007099e9d228c98767d188
                                  • Opcode Fuzzy Hash: b69e14ead2c30fa6de9eb1545a624514164442520282dc2fc934a294c6744fbe
                                  • Instruction Fuzzy Hash: 53F0CD31A047815FC7528B38DC60A4A3BE1DF8B66430804AAE084CB252EA61D805CB91
                                  Function 06F79EE9 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f7f3d8bdf089f87b26c2f6c26884a6dc94f14a9aeffe92df6a56324db4656ef
                                  • Instruction ID: 5b05436a4e5cce526c720958ed962787646963d68836cb511d4ffaf7cf90c87a
                                  • Opcode Fuzzy Hash: 5f7f3d8bdf089f87b26c2f6c26884a6dc94f14a9aeffe92df6a56324db4656ef
                                  • Instruction Fuzzy Hash: 85F027722003012BC603A66CA8554DE7BE6EFC4161344842BF00DCBB81EF608E098BF5
                                  Function 06F7E8E0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e85e08132c60644a669d8c339db92ba3d5ee27305a9c42b1b893087e6ff30f0b
                                  • Instruction ID: 9df076623c089e483cc621395f4d3006cb2cd8554ad0e006f2933a9dd39c533b
                                  • Opcode Fuzzy Hash: e85e08132c60644a669d8c339db92ba3d5ee27305a9c42b1b893087e6ff30f0b
                                  • Instruction Fuzzy Hash: F9F0E2B7B087811FE3A54AEA985059BBFF9EFD616031440BBE04CC7356EA61CC008790
                                  Function 06F60B78 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 85ab9c78f464a637b0d71692b4f459d98ad6eacc0f3b6d716f209768b1a14e94
                                  • Instruction ID: 308620500d0c582aa60a5888ef067934143d40a358270e5ca4191598b3d4fae0
                                  • Opcode Fuzzy Hash: 85ab9c78f464a637b0d71692b4f459d98ad6eacc0f3b6d716f209768b1a14e94
                                  • Instruction Fuzzy Hash: 26F06DB1A0024CEFCB41DBB8EE5259DBBB5EB01214B1045DAE808D7251DA321F048B91
                                  Function 06F78E70 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 76cb33ad57d0367f7a1a277e6d2a0224d2bafb9b3998271e9807c8c9722d2565
                                  • Instruction ID: 5b8e548cef39f8173dc7d6b868d979bb29fa3df3ca0e98161d266194e1f2414c
                                  • Opcode Fuzzy Hash: 76cb33ad57d0367f7a1a277e6d2a0224d2bafb9b3998271e9807c8c9722d2565
                                  • Instruction Fuzzy Hash: 49F0BE72B052049FE748CA49D458B7AB7E9EB89370B14803AE909CB310DB72AC40CB94
                                  Function 06F79532 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69ffdab6b4fc4bf48145992959c23c5adb119794fcf07c96b3642b4e2a7bcb8b
                                  • Instruction ID: b30378dfbd681ff91db5b9b4a079d083795ab505ad0ccbc7f96a5b4dd0083360
                                  • Opcode Fuzzy Hash: 69ffdab6b4fc4bf48145992959c23c5adb119794fcf07c96b3642b4e2a7bcb8b
                                  • Instruction Fuzzy Hash: B3F0E53AF156A04BC3670A28642926D2AEB5BC621231D45A3F505C7795DE64CE0687E2
                                  Function 06F750D8 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc707bc1bb076c8882e2d307faf5cf234a9f34b549a1c8d75a3b2bec65bfa064
                                  • Instruction ID: 6e4cb86bf7e7c12d8b3f50bd2dc55855add55a593c33c341e4209eb5460c2aaf
                                  • Opcode Fuzzy Hash: bc707bc1bb076c8882e2d307faf5cf234a9f34b549a1c8d75a3b2bec65bfa064
                                  • Instruction Fuzzy Hash: 4FF0A0763042009BE745AA58E8867AA63E6EBC4666B40082AF50AC7681DE649C090BE5
                                  Function 06F71F58 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e9bf89e2465e39c9950c42a9c414ce42ca703855818bce603e463f0a597cc91
                                  • Instruction ID: c47b9a20223ed242766dc68aaefa435894639081d59fbf6dea79d65430fa8b16
                                  • Opcode Fuzzy Hash: 7e9bf89e2465e39c9950c42a9c414ce42ca703855818bce603e463f0a597cc91
                                  • Instruction Fuzzy Hash: 2EF06271D04109DFDB90DF68C845BFDBBF4EB04210F180617D415E2250D77495498BD1
                                  Function 06F7C8C8 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63f763fec65b5540b8066324e3462a4abcf27618ce882ebe2d28400533f81b69
                                  • Instruction ID: 72a084e0e279a98b111af0c8a28651bbb709c6f07c6ddadebb97b0ec5dc32600
                                  • Opcode Fuzzy Hash: 63f763fec65b5540b8066324e3462a4abcf27618ce882ebe2d28400533f81b69
                                  • Instruction Fuzzy Hash: 4DF0A7337082405FD3956B29EC984967FB5EF8E27131900B7E509C7252DA148C058750
                                  Function 06F6A778 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b49ac2dea281af91d9d352cbb6b2ac3bac2d7c44e57aada87f3b4036f21e47c0
                                  • Instruction ID: 5a66c8339568fe9f65a065a0c135db31c9244ac38f9edc4863d012a91c932498
                                  • Opcode Fuzzy Hash: b49ac2dea281af91d9d352cbb6b2ac3bac2d7c44e57aada87f3b4036f21e47c0
                                  • Instruction Fuzzy Hash: 31E0D153B096901BD386219D3C7505A7FA5DBC65B134401B7F659D72C3ED054C1583D2
                                  Function 06F6D7C8 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8edefdd0363905eadb219e53916a9845246278fc9da8eeb288400eb7fcdb7902
                                  • Instruction ID: 5625c18497653fcee059fbf8dc877cdd67723b7041eb901d289b0cde426900a6
                                  • Opcode Fuzzy Hash: 8edefdd0363905eadb219e53916a9845246278fc9da8eeb288400eb7fcdb7902
                                  • Instruction Fuzzy Hash: 39011471E00219DFCB54DFA5D841AAEBBF1FF48320F10C529E519A7644D336AA02CF90
                                  Function 06F71F68 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e6c7c00098a57d0f33f93ff61983df53ed20ee32fde04035dc31d2c916c6d95
                                  • Instruction ID: 4904ee3ab34d67fe3e799ee4e54164bb91acfe8ba73929d8fa74624aec5a3f13
                                  • Opcode Fuzzy Hash: 8e6c7c00098a57d0f33f93ff61983df53ed20ee32fde04035dc31d2c916c6d95
                                  • Instruction Fuzzy Hash: 55F03A71D0820ACFDBA0DFA8C445BFDBBF0AB09210F184667E419E6290D77485488BC1
                                  Function 06F72571 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1207a944c6c552dd54db567fa86e2469905ce198c0aa41296df569b3daaf6572
                                  • Instruction ID: 6b35ffe968c9dbed03df57a23ab30f8978e94b85eec18995907901bfd489d7a3
                                  • Opcode Fuzzy Hash: 1207a944c6c552dd54db567fa86e2469905ce198c0aa41296df569b3daaf6572
                                  • Instruction Fuzzy Hash: A8E02C23B2D1019FBB86106C3832C7A2E68DF8918570040ABA883DA24CFF05CF0A03E3
                                  Function 06F750E8 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0eea29fa9a278a8b607898870d1a0cc51e1c59157c106fd7e1a8284d0edf578d
                                  • Instruction ID: 9249b9dd4af4176a0ecc024239848b3d91707be425f96aded6b45fb20892f15a
                                  • Opcode Fuzzy Hash: 0eea29fa9a278a8b607898870d1a0cc51e1c59157c106fd7e1a8284d0edf578d
                                  • Instruction Fuzzy Hash: 72E02B323043049B9604BA59F84156BB7E6EBC5666740043AF50AC7281CF70DC080BE1
                                  Function 06F79EF8 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c7e559f93a0723dfd57c41392ca00d03ce264b2d1c08b953c2393be2c7dc7e3
                                  • Instruction ID: ea6e22663b3e01296678c01fc6d4aa563ae4f3d3aa7840c0caf0511c9b6437fe
                                  • Opcode Fuzzy Hash: 8c7e559f93a0723dfd57c41392ca00d03ce264b2d1c08b953c2393be2c7dc7e3
                                  • Instruction Fuzzy Hash: 06E0D831700715279612AA6EA84185FB7E6EFC46B5380843EF50ECB780DF61ED098BE9
                                  Function 06F6B658 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5962d9e9f256b42aeb509750ce9bf8b1083d5035595d5bbbe72e992fef494bcd
                                  • Instruction ID: 3b2b982dd2b0456320be62781519b8a2ba075a5c1bca17515dc006396976bb78
                                  • Opcode Fuzzy Hash: 5962d9e9f256b42aeb509750ce9bf8b1083d5035595d5bbbe72e992fef494bcd
                                  • Instruction Fuzzy Hash: 5AE06D363046249F8754AB9AEC4586FBBEEEBC9625301846FF50AD3251DB71EC008B94
                                  Function 06F7A468 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51b6f9a6540e5f2df25ab7b34f9d9b4bf22bc458e38be55c16ff0cbbd2036499
                                  • Instruction ID: 6ecccf0e4f621097d59d6215b34f015fe9b2a2bf867f6cce8c3312e3ca99683f
                                  • Opcode Fuzzy Hash: 51b6f9a6540e5f2df25ab7b34f9d9b4bf22bc458e38be55c16ff0cbbd2036499
                                  • Instruction Fuzzy Hash: B1F01530E0A348AFCB55DBB898544DE7FB1AB4A310F0442EAE445D7250EA780B058F82
                                  Function 06F79659 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac2f824a91c414ca4f313954cb4ebea337c7b55139a00cdde17674c1cf3bb795
                                  • Instruction ID: 971b29cc446677cc723a462061d64b549b867e148ce9644eead49de02a5d20e2
                                  • Opcode Fuzzy Hash: ac2f824a91c414ca4f313954cb4ebea337c7b55139a00cdde17674c1cf3bb795
                                  • Instruction Fuzzy Hash: 4CE026353052306F831312A8280B1BA2B9EEACE811309056BF905C7782DD140D0507B6
                                  Function 06F60B38 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1827871a368e96c4e3e3a00223f4728d44fd24496dba1ae12d0cff5677dfbfad
                                  • Instruction ID: 47d75707f728478955d5bacc078b16b9aca09a96b2bd7995d6e249878b2c6fb9
                                  • Opcode Fuzzy Hash: 1827871a368e96c4e3e3a00223f4728d44fd24496dba1ae12d0cff5677dfbfad
                                  • Instruction Fuzzy Hash: 4FE02CA27093D00FE78222791C204AA2FA9CBC342171A0097E808CB283C9A88C1A43E2
                                  Function 06F79620 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db69d09f126b79d718938e36a049b8e28364e08d45a20b9b95a8437108937484
                                  • Instruction ID: b942bd602177e0e3c2e64206caa99fa4338a9cdfaea4428d7dcef4a4366fd1a2
                                  • Opcode Fuzzy Hash: db69d09f126b79d718938e36a049b8e28364e08d45a20b9b95a8437108937484
                                  • Instruction Fuzzy Hash: 49E0263692A248AFDF4141B09D26DF23A689A0330530C0A83F01ACB0A2F2A0872083F0
                                  Function 06F72580 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ee0949b076ccc44b26d28f0a9f1852f423b920902131d494469132926a716ca
                                  • Instruction ID: 39798cd1aa167e45f0ac3387d46cb9517a39c04cb47171ee8842031bd2918347
                                  • Opcode Fuzzy Hash: 6ee0949b076ccc44b26d28f0a9f1852f423b920902131d494469132926a716ca
                                  • Instruction Fuzzy Hash: 3DE05E23B2D116DF7BC9106D3432C792E699EC95913404037A083DA24CEF42CF0203D7
                                  Function 06F70EB7 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e2acc394ec8f9bac6a3e59e9e86171db6a6a8fff244b23230e99439a52f232b
                                  • Instruction ID: ef05f4d03f7f0f5c77a08daf8c087cc46f0cb21b4fbbf1dfcb7873851ab0479d
                                  • Opcode Fuzzy Hash: 7e2acc394ec8f9bac6a3e59e9e86171db6a6a8fff244b23230e99439a52f232b
                                  • Instruction Fuzzy Hash: 78E0D8709601499BCF60CAA8C9863DDBFE1EB02254F6006D9EC56DB381EA315A069B96
                                  Function 06F7CB48 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96ee1085b9422ae95bd637925c8c0b3e89c7787505e5102112a03b15c22864bd
                                  • Instruction ID: 45032919573c4cacfe03052e0109cb055cda2e7d686ee29b7a53b4dced96f133
                                  • Opcode Fuzzy Hash: 96ee1085b9422ae95bd637925c8c0b3e89c7787505e5102112a03b15c22864bd
                                  • Instruction Fuzzy Hash: C2E0867101D3814FD7425B3098553DA7FD49F01112F69099BD0C5C5492DB2C96D4DB92
                                  Function 06F70EC8 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb7878519edd4064c4dc20d7203a19c267c40135bc77ba8a66e098f5475f3ef5
                                  • Instruction ID: 1b7363aa5ae4f0f5967963649625f61f82603d6b0e943c2a3ae7f5626baa047c
                                  • Opcode Fuzzy Hash: bb7878519edd4064c4dc20d7203a19c267c40135bc77ba8a66e098f5475f3ef5
                                  • Instruction Fuzzy Hash: 4CE0EDB1D1120CEFCF80EFB8D98569CBBF4EF04204F6045A6E806D7240EA305B459F55
                                  Function 06F79AA0 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c30a5413ecd9efdee85c6c773ec1b2be64a5269fc4fb2b3378eb262116cab293
                                  • Instruction ID: e4ecca341b6c226779df724b8836e31ebe8f9d4fd10a641f294afd5df9a0bbc5
                                  • Opcode Fuzzy Hash: c30a5413ecd9efdee85c6c773ec1b2be64a5269fc4fb2b3378eb262116cab293
                                  • Instruction Fuzzy Hash: A8E0DF71D0A349EFCB41DBB8DE526DE7BB1EE4226571002D6F408E3292EA310F15DBA1
                                  Function 06F6A788 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 434bff560f0df8a0baa44caa43c96d65b72629d16f2fb29a1ed81e9ca269a185
                                  • Instruction ID: 3e16c556282aff7dd9a6ce7bfc2141ba0fa748fc829e4eebe50ca3bf9ff549ac
                                  • Opcode Fuzzy Hash: 434bff560f0df8a0baa44caa43c96d65b72629d16f2fb29a1ed81e9ca269a185
                                  • Instruction Fuzzy Hash: AAD05E62300124230644219E3C5842FAADED6C99B1350013AE60DC3380DC115C0A03E5
                                  Function 06F6E1C3 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f8a90c972bd5a542a99bb5c900e966bf747a14861543e624ebb60bbd9a68367
                                  • Instruction ID: 5923b2793dd903f339a4ed4b8692f9d56c2b3f79d7421a1b89346e752be0e57e
                                  • Opcode Fuzzy Hash: 2f8a90c972bd5a542a99bb5c900e966bf747a14861543e624ebb60bbd9a68367
                                  • Instruction Fuzzy Hash: B8D0C73A7240304745853669785A47DB79FB7C88693104427F517C27C8CE748C0757C2
                                  Function 06F79668 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8cb722b9ede1c9ea1b510a3f22b6e3655bb2fb8144c9c12b8753286e2f450a6
                                  • Instruction ID: 5ea51a3a889c08f71fa7990e6240e7117f35c5bae9fde80d46eff62044b89fb7
                                  • Opcode Fuzzy Hash: a8cb722b9ede1c9ea1b510a3f22b6e3655bb2fb8144c9c12b8753286e2f450a6
                                  • Instruction Fuzzy Hash: D3D0A73671412417051626AD740B42E7B9EF7C6A66315042FFA0AC3380CE515C054BE7
                                  Function 06F78E30 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3440c2725730a40a4c267a86e116fac98fd7490b770ca8da6d52bddf9542a9a
                                  • Instruction ID: 26c15199fdfb8857aab179d00e21ff2ac75b55288e76fbb388b84294fd2ebe90
                                  • Opcode Fuzzy Hash: e3440c2725730a40a4c267a86e116fac98fd7490b770ca8da6d52bddf9542a9a
                                  • Instruction Fuzzy Hash: BED05B36354218CF938457B9D82987677B9DB84A543418877F916C7311CFB1DC0057D0
                                  Function 06F67753 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bdafb2109a197ede1655df56d16c0106a5718610223be60070471bdb0a3b678d
                                  • Instruction ID: 33005fb423d5359912937405310864350119d7de85351c4e9c0f3a27ceb76192
                                  • Opcode Fuzzy Hash: bdafb2109a197ede1655df56d16c0106a5718610223be60070471bdb0a3b678d
                                  • Instruction Fuzzy Hash: D2D05E33E591A00FC7965AA9AD489D23BA89E0652530941D7F008DB376C5118800C7A0
                                  Function 06F61B28 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aed36b979c6ed0f1bda181a16cf61814744e0a58609d0c8f5180fde13f7ff24d
                                  • Instruction ID: 9da1af27e8404023b8043f36820b488ecde690254bb8c5f3c5e2d5b40080f3a7
                                  • Opcode Fuzzy Hash: aed36b979c6ed0f1bda181a16cf61814744e0a58609d0c8f5180fde13f7ff24d
                                  • Instruction Fuzzy Hash: A7D05E367002119B83159A5EE840C82F7ADEBC9720319C2BAF90C87716DA71DC42C7E0
                                  Function 06F7A478 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7127ef0f1f7feec455fdba05488fc6ec672451ad8fd98aa4800d381de02e781
                                  • Instruction ID: efd6c4c62f4be954111cead9c69a6a61a449aa7b9de15babcec24ce9cf0dd15b
                                  • Opcode Fuzzy Hash: c7127ef0f1f7feec455fdba05488fc6ec672451ad8fd98aa4800d381de02e781
                                  • Instruction Fuzzy Hash: CDE0B670E0430CAFCB54EFA9E44559DBBF5EF48310F0081E9E809E7350EA345A048F85
                                  Function 06F60B48 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03b780800a45a46190e4824251aea3b4c4ad924ec84f602d0f3de1abd0f5167f
                                  • Instruction ID: 822d1d93cd593f9f536dc2d77d93a5dbb121105c9a2f05894de5be0c3bef14a5
                                  • Opcode Fuzzy Hash: 03b780800a45a46190e4824251aea3b4c4ad924ec84f602d0f3de1abd0f5167f
                                  • Instruction Fuzzy Hash: B2D012A635132427565421AA6C0587F7A9ECACB8713154026E909D3780CDE88C1613F1
                                  Function 06F7A440 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7ca85d45eadd3dfe764ca71f8080875c6ef08d1abdf3a008ed98cd274259ef0
                                  • Instruction ID: 8cf2245171a436bd1b9d451c53ef8f0e4a4657e855ce04ac6bf51489f1b2d9fa
                                  • Opcode Fuzzy Hash: a7ca85d45eadd3dfe764ca71f8080875c6ef08d1abdf3a008ed98cd274259ef0
                                  • Instruction Fuzzy Hash: ACD0A92080E34C7FC62286A48C208EA7F6CDA47011B0400CBF88487332D2695A0453A2
                                  Function 06F71FC8 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5c7bc311798f58ee84d200bccce9726a22b2a18fc85daff59a7a07ff5850daa
                                  • Instruction ID: 96c343571421d14a5eda3c8f206a5ef9c3fa9df8a229f30ffaefe6bb798a8c89
                                  • Opcode Fuzzy Hash: a5c7bc311798f58ee84d200bccce9726a22b2a18fc85daff59a7a07ff5850daa
                                  • Instruction Fuzzy Hash: 9BD05E73504208DFD3A0C684D809BE9B768A75632DF2CC25BE02DDA3E2C732D44ACAD1
                                  Function 06F79568 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8908cdb57acbf73979ad7808ba2beec3e2601ed3ae07f1fcb1027c5eca4deaf3
                                  • Instruction ID: e31a492979c89c95511e3af92a9f4f7ca1ac302c7759a9cdb1d0d1674825dc4a
                                  • Opcode Fuzzy Hash: 8908cdb57acbf73979ad7808ba2beec3e2601ed3ae07f1fcb1027c5eca4deaf3
                                  • Instruction Fuzzy Hash: 3AD0123AB11634134121165E740A85ABA9EEBC5A763090477F909C7300CEA1DC0A86E1
                                  Function 06F60B88 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58151fbe88dd39984f4bb0839e50b0b2d2776f1299d01625467d686d1e208892
                                  • Instruction ID: 67b47bc3952f74afd01b67b70da2b1de0dceeff31bd3dd56dbccab162930ef1e
                                  • Opcode Fuzzy Hash: 58151fbe88dd39984f4bb0839e50b0b2d2776f1299d01625467d686d1e208892
                                  • Instruction Fuzzy Hash: 5BD017F0A0020CEFCB40EFA8ED0259DBBB9EB44310B1041E9E808D3290EA326F049B91
                                  Function 06F79AB0 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b71eacac7c3eda5c4a52ed148cdccf25f09d4f554f487149ccfc7010185045f
                                  • Instruction ID: f8b6c82243404083d94b12e9e05d4af77c0508c62bd5e7d519b867e5677d4fe2
                                  • Opcode Fuzzy Hash: 5b71eacac7c3eda5c4a52ed148cdccf25f09d4f554f487149ccfc7010185045f
                                  • Instruction Fuzzy Hash: 9CD01770A0020CEB8B00EFACE94259DB7F9EF45219B1041A9E808E3341EE326F14AB91
                                  Function 06F62147 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598163215.0000000006F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f60000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 345bcc369f0d38de5ee991437a7fb6cbe53b456e6633e1766e40aa615f9d378f
                                  • Instruction ID: 84745823a6a261aee9e3252162ac7c39186b811146f59ece27ea8168378f39b0
                                  • Opcode Fuzzy Hash: 345bcc369f0d38de5ee991437a7fb6cbe53b456e6633e1766e40aa615f9d378f
                                  • Instruction Fuzzy Hash: 65E01230A5030EDBDB548FE1D57576E7B75FF04348F208914D411A6244DB798646CB91
                                  Function 06F79630 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1d992bde5465bc83903f23415184ed3ca28395a0299c8a4965b3d50d736c96b
                                  • Instruction ID: d30c18ee9f291b7e14d67e4e7d7ba101098b5d4592a81ab67830abf862eae350
                                  • Opcode Fuzzy Hash: a1d992bde5465bc83903f23415184ed3ca28395a0299c8a4965b3d50d736c96b
                                  • Instruction Fuzzy Hash: 16D01334710104DFCB84D6E5DC55D35B795D745704314456EE40FC7251DF72F9029790
                                  Function 06F71F29 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da929185ccf61d50cb5a674e17f17011dc1e40e2e804570b741482cc123cf5f6
                                  • Instruction ID: c739e34d208f9cfb5692d577059487c961e672b2d2f1dd3767ed07cf647137fc
                                  • Opcode Fuzzy Hash: da929185ccf61d50cb5a674e17f17011dc1e40e2e804570b741482cc123cf5f6
                                  • Instruction Fuzzy Hash: 68D09272409205DBD7508A44D9496A0BA65AB41629B6CC29FE41E4A2E1DB32946BCA81
                                  Function 06F71FD8 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cafb894e8d172142d2559376d40bd68abc7703744955a4c0b1db6e6215697eeb
                                  • Instruction ID: c04064fbd128139c032b1ea5e927c68ef6fb007f2a006e8aab6bffbcd2db5f14
                                  • Opcode Fuzzy Hash: cafb894e8d172142d2559376d40bd68abc7703744955a4c0b1db6e6215697eeb
                                  • Instruction Fuzzy Hash: 98D0C932004208CFD3A0CA84E4086F5BB28A74132DB2C825BE03E9A2E2C772944AC6C2
                                  Function 06F71F30 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d9abc5a8a02bb6703c7b012a0d7c4554ff84d804589260240b5fe25f8f9eba22
                                  • Instruction ID: bb9f11d5a3abca35fa966e1e83ab59363394a706b31e9318d8e4e0683b7d25d3
                                  • Opcode Fuzzy Hash: d9abc5a8a02bb6703c7b012a0d7c4554ff84d804589260240b5fe25f8f9eba22
                                  • Instruction Fuzzy Hash: 68D0C931009204CFD350CA44D5486B07B24AB41328B6C829FD41E4E2E1CB32945BCA81
                                  Function 06F78260 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8cd1cb9a16edd2c3da2560ea6016b5bc4acc7631f0d0b810f0b134bba86c712
                                  • Instruction ID: 673da5a3b8fdcf53e7daecd8a93cd7a6321d26f471e341921e2f76da2900e6b7
                                  • Opcode Fuzzy Hash: b8cd1cb9a16edd2c3da2560ea6016b5bc4acc7631f0d0b810f0b134bba86c712
                                  • Instruction Fuzzy Hash: 6BB092367A4A084BEA9096B7B809726368C9B4165AF404072B52DC1E00E946E4506540
                                  Function 06F710A8 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d5ea65dcb80f0728679fe199aabb9315caa9701f5ad5f4872974f3e04d647be
                                  • Instruction ID: 039973a4d04fead85a360d42f664a3723212d60f1a63c87403c1c8d8fbfb8868
                                  • Opcode Fuzzy Hash: 9d5ea65dcb80f0728679fe199aabb9315caa9701f5ad5f4872974f3e04d647be
                                  • Instruction Fuzzy Hash: 02B09231AA46484BEEA096B57885766378C9740658F480072B40DC1A00EA86E4A42441
                                  Function 06F7FC33 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dfa0158fc4b8a2e116d4a0e0945835ed9ba002aebfc3f5d1c2633afaf35fd1e8
                                  • Instruction ID: 94b8d4374bf480baa88c6b0ff0b1c052ff3a332523337e0bd841512f8f02f1bb
                                  • Opcode Fuzzy Hash: dfa0158fc4b8a2e116d4a0e0945835ed9ba002aebfc3f5d1c2633afaf35fd1e8
                                  • Instruction Fuzzy Hash: F2C04C8BD4EBD91BD68351281C600A55F2169E74553D907C3D590CA9E3A108472AA661
                                  Function 06F7DF90 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b62dcafacbbf8d7bc7d6aac1a4c5fa133dc9d59f0069603d7faa1c25f822ab9e
                                  • Instruction ID: a0d999f2969c6d56a353b7c094c12690b41c9b0955a32feb44aecb136af376b9
                                  • Opcode Fuzzy Hash: b62dcafacbbf8d7bc7d6aac1a4c5fa133dc9d59f0069603d7faa1c25f822ab9e
                                  • Instruction Fuzzy Hash: B9C08CC390C7C17FEB8313304C6C280AF609E3720074C05C6C190805C3B54AB01A8B03
                                  Function 06F7A450 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc8294a91988b9b37ad22d71b8be2056b6918dd341895fa4be82248db7ec294b
                                  • Instruction ID: 5840e06b07ad46bdcee4354a8636c6ede89fe4f11f2233b4fa519d71a9cbcfed
                                  • Opcode Fuzzy Hash: fc8294a91988b9b37ad22d71b8be2056b6918dd341895fa4be82248db7ec294b
                                  • Instruction Fuzzy Hash: 61B0927090530CAF8624DA99980195AB7ACDA0A210B0001D9E90887320D976A91057D1
                                  Function 06F78110 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56bc77c79c4c20bd943eef481c9b6eb1994110ababf3c9d0a6b81e0895a169f5
                                  • Instruction ID: dd3d5b92dcee361f3c47da9bda7919fcdf09f0006f1b6c1c14ae2e009728e1ee
                                  • Opcode Fuzzy Hash: 56bc77c79c4c20bd943eef481c9b6eb1994110ababf3c9d0a6b81e0895a169f5
                                  • Instruction Fuzzy Hash: 10B0122361C208CE63C0B584BC5F830FB8C7A404C02014177423F071420EC0F94088D3
                                  Function 06F70F0F Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7bd7e2fd939ac475ea17d94af78a094bc1e3b0c1fc2c69791a8be8dd93ffb24
                                  • Instruction ID: 730830a605d7c0466cc448152f8f9312459319dd9e1950d01f425ea71e7bc6de
                                  • Opcode Fuzzy Hash: b7bd7e2fd939ac475ea17d94af78a094bc1e3b0c1fc2c69791a8be8dd93ffb24
                                  • Instruction Fuzzy Hash: 2DB092364A100097EF042E98DD8B7CA3B1EEB92325F0444956E0185202CB188046AE26

                                  Non-executed Functions

                                  Function 029BF3B8 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6747e5a2b32a0123fac353d57b5e79ad40acb006eb824de56e419ceefb8f14fc
                                  • Instruction ID: ebf9f20d1f6039be861809530245100ab01a36caaed13ab4216784cec8bbbd35
                                  • Opcode Fuzzy Hash: 6747e5a2b32a0123fac353d57b5e79ad40acb006eb824de56e419ceefb8f14fc
                                  • Instruction Fuzzy Hash: 4C1282F0809749AAE710CF65F94C2897FB1FB85318F50A609D2616FAE1DBBC194ACF44
                                  Function 06F70880 Relevance: .3, Instructions: 303COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 12f927f9a4e28d83f8e1168cac92e66b7128e6ac676d5af4262cb22f0c918ee7
                                  • Instruction ID: 7286c5f6d98d9696a50b513c5e8bce39a6cea58efbd292d6214096334efa6d1f
                                  • Opcode Fuzzy Hash: 12f927f9a4e28d83f8e1168cac92e66b7128e6ac676d5af4262cb22f0c918ee7
                                  • Instruction Fuzzy Hash: 1EC1A1B1E002198FDB54CF69C980BADBBF2EF85301F19C56AD059AB245DB34A985CF50
                                  Function 029BCB3C Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1595598732.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_29b0000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4edf01f4d9096204c5c9a83f33750b0c0d45ab60792f575a1a20c6dae67a53b0
                                  • Instruction ID: 22cab7ed80565fd5d49cf165997db9fca4fe2b7dbe86a14c60bbc33826b28af3
                                  • Opcode Fuzzy Hash: 4edf01f4d9096204c5c9a83f33750b0c0d45ab60792f575a1a20c6dae67a53b0
                                  • Instruction Fuzzy Hash: 16A18F32E002198FCF06DFA5D9805DEB7FAFF85304B55856AE902AB220DB75E906CF50
                                  Function 06F71198 Relevance: .2, Instructions: 242COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca82233d75510dab3f38be15f67cc30d3bbad26f7cf52f20a2ada66e33cf5e52
                                  • Instruction ID: 6eaac88435c78d0aadacfe1d32efdefac4899e79b1a01cef7be909016d949030
                                  • Opcode Fuzzy Hash: ca82233d75510dab3f38be15f67cc30d3bbad26f7cf52f20a2ada66e33cf5e52
                                  • Instruction Fuzzy Hash: 6B819A32F101148FDB54DBA9D890AAEB7F3AFC9710F1A816AE406EB355DE709C05DB90
                                  Function 06F70903 Relevance: .2, Instructions: 213COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38fb1ee183ce4298faeeda1b96719316ad3ee5354a7654c9912b1c4ca5ce8e87
                                  • Instruction ID: bb1d8ef71db21c3f95c38162b7a4af3a415d6425dee9bcd6aafb0f65212374e1
                                  • Opcode Fuzzy Hash: 38fb1ee183ce4298faeeda1b96719316ad3ee5354a7654c9912b1c4ca5ce8e87
                                  • Instruction Fuzzy Hash: F29191B1E10219CFDB54CF69C890AADFBB2FF84305F19C56AD015AB285DB34A885DF50
                                  Function 06F7124A Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1598200855.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6f70000_VBEhHxyHpJ.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31d2882e047387b3e1ae2bc8b7c4ac577e3b0fbdeb26090694f65e8c053d5983
                                  • Instruction ID: a88249b559c88d4758bdc191ca8e327b6fa620310902901015f773412a04af52
                                  • Opcode Fuzzy Hash: 31d2882e047387b3e1ae2bc8b7c4ac577e3b0fbdeb26090694f65e8c053d5983
                                  • Instruction Fuzzy Hash: 4B615832F205288BD754DB69C890BAEB7E3AFC8714F1A8165E405EB355DE74AC01DB90

                                  Execution Graph

                                  Execution Coverage:3.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:5.4%
                                  Total number of Nodes:1224
                                  Total number of Limit Nodes:49
                                  execution_graph 46367 433192 46368 43319e ___scrt_is_nonwritable_in_current_image 46367->46368 46394 432ea1 46368->46394 46370 4331a5 46372 4331ce 46370->46372 46688 433304 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46370->46688 46377 43320d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46372->46377 46689 442b52 5 API calls CatchGuardHandler 46372->46689 46374 4331e7 46376 4331ed ___scrt_is_nonwritable_in_current_image 46374->46376 46690 442af6 5 API calls CatchGuardHandler 46374->46690 46383 43326d 46377->46383 46691 441cb7 35 API calls 5 library calls 46377->46691 46405 43341f 46383->46405 46387 43328f 46388 433299 46387->46388 46693 441cef 28 API calls _Atexit 46387->46693 46389 4332a2 46388->46389 46694 441c92 28 API calls _Atexit 46388->46694 46695 433018 13 API calls 2 library calls 46389->46695 46393 4332aa 46393->46376 46395 432eaa 46394->46395 46696 43354d IsProcessorFeaturePresent 46395->46696 46397 432eb6 46697 437801 10 API calls 4 library calls 46397->46697 46399 432ebb 46400 432ebf 46399->46400 46698 4429df 46399->46698 46400->46370 46403 432ed6 46403->46370 46757 435760 46405->46757 46408 433273 46409 442aa3 46408->46409 46759 44d8d9 46409->46759 46411 442aac 46412 43327c 46411->46412 46763 445095 35 API calls 46411->46763 46414 40dec9 46412->46414 46765 41b4c9 LoadLibraryA GetProcAddress 46414->46765 46416 40dee5 GetModuleFileNameW 46772 40e8e0 46416->46772 46418 40df01 46787 4020d6 46418->46787 46421 4020d6 28 API calls 46422 40df1f 46421->46422 46793 41a976 46422->46793 46426 40df31 46819 401e6d 46426->46819 46428 40df3a 46429 40df97 46428->46429 46430 40df4d 46428->46430 46825 401e45 46429->46825 47099 40f0f6 116 API calls 46430->47099 46433 40dfa7 46437 401e45 22 API calls 46433->46437 46434 40df5f 46435 401e45 22 API calls 46434->46435 46436 40df6b 46435->46436 47100 41047a 36 API calls __EH_prolog 46436->47100 46438 40dfc6 46437->46438 46830 4052fe 46438->46830 46441 40dfd5 46835 408832 46441->46835 46442 40df7d 47101 40f0a7 77 API calls 46442->47101 46446 40df86 47102 40e8cd 70 API calls 46446->47102 46452 401fb8 11 API calls 46454 40e42c 46452->46454 46453 401fb8 11 API calls 46455 40dfff 46453->46455 46692 441bc6 GetModuleHandleW 46454->46692 46456 401e45 22 API calls 46455->46456 46457 40e008 46456->46457 46852 401fa0 46457->46852 46459 40e013 46460 401e45 22 API calls 46459->46460 46461 40e02c 46460->46461 46462 401e45 22 API calls 46461->46462 46463 40e047 46462->46463 46464 40e0b2 46463->46464 47103 406292 46463->47103 46466 401e45 22 API calls 46464->46466 46471 40e0bf 46466->46471 46467 40e074 46468 401fc2 28 API calls 46467->46468 46469 40e080 46468->46469 46472 401fb8 11 API calls 46469->46472 46470 40e13b 46856 40c577 46470->46856 46471->46470 46473 401e45 22 API calls 46471->46473 46475 40e089 46472->46475 46476 40e0d8 46473->46476 47108 412831 RegOpenKeyExA 46475->47108 46479 40e0df OpenMutexA 46476->46479 46477 40e146 46478 40df8f 46477->46478 46859 419e1e 46477->46859 46478->46452 46481 40e0f2 WaitForSingleObject CloseHandle 46479->46481 46482 40e105 46479->46482 46481->46482 46488 412831 3 API calls 46482->46488 46485 40e161 46487 40e1b4 46485->46487 46876 406d8a 46485->46876 46486 40e86c 47189 412c91 30 API calls 46486->47189 46490 401e45 22 API calls 46487->46490 46501 40e122 46488->46501 46493 40e1bd 46490->46493 46492 40e882 47190 4119b8 65 API calls ___scrt_fastfail 46492->47190 46503 40e1c9 46493->46503 46504 40e1ce 46493->46504 46496 40e180 47112 406dac 30 API calls 46496->47112 46497 40e18a 46500 401e45 22 API calls 46497->46500 46498 40e88c 46993 41a7b9 46498->46993 46511 40e193 46500->46511 46501->46470 47111 412c91 30 API calls 46501->47111 47115 406dc9 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46503->47115 46510 401e45 22 API calls 46504->46510 46505 40e185 47113 4068d4 97 API calls 46505->47113 46507 40e89c 46997 412d0b RegOpenKeyExW 46507->46997 46514 40e1d7 46510->46514 46511->46487 46515 40e1af 46511->46515 46519 401e45 22 API calls 46514->46519 47114 4068d4 97 API calls 46515->47114 46516 401ee9 11 API calls 46518 40e8b9 46516->46518 46520 401ee9 11 API calls 46518->46520 46521 40e1f2 46519->46521 46522 40e8c2 46520->46522 46524 401e45 22 API calls 46521->46524 47000 40d246 46522->47000 46527 40e20c 46524->46527 46529 401e45 22 API calls 46527->46529 46528 40e8cc 46530 40e226 46529->46530 46531 401e45 22 API calls 46530->46531 46533 40e23f 46531->46533 46532 40e2ac 46534 40e2bb 46532->46534 46541 40e437 ___scrt_fastfail 46532->46541 46533->46532 46535 401e45 22 API calls 46533->46535 46536 40e2c4 46534->46536 46564 40e340 ___scrt_fastfail 46534->46564 46539 40e254 _wcslen 46535->46539 46537 401e45 22 API calls 46536->46537 46538 40e2cd 46537->46538 46540 401e45 22 API calls 46538->46540 46539->46532 46542 401e45 22 API calls 46539->46542 46543 40e2df 46540->46543 47176 4129e0 RegOpenKeyExA RegQueryValueExA RegCloseKey 46541->47176 46544 40e26f 46542->46544 46546 401e45 22 API calls 46543->46546 46548 401e45 22 API calls 46544->46548 46547 40e2f1 46546->46547 46551 401e45 22 API calls 46547->46551 46549 40e284 46548->46549 47116 40cf38 46549->47116 46550 40e482 46552 401e45 22 API calls 46550->46552 46553 40e31a 46551->46553 46554 40e4a7 46552->46554 46559 401e45 22 API calls 46553->46559 46890 402073 46554->46890 46557 401ef3 28 API calls 46558 40e2a3 46557->46558 46561 401ee9 11 API calls 46558->46561 46562 40e32b 46559->46562 46561->46532 47174 40c307 45 API calls _wcslen 46562->47174 46563 40e4b9 46896 412a57 RegCreateKeyA 46563->46896 46880 412c2f 46564->46880 46569 40e3d4 ctype 46573 401e45 22 API calls 46569->46573 46570 40e33b 46570->46564 46571 401e45 22 API calls 46572 40e4db 46571->46572 46902 43a3ac 46572->46902 46574 40e3eb 46573->46574 46574->46550 46578 40e3ff 46574->46578 46577 40e4f2 47177 41b6a6 86 API calls ___scrt_fastfail 46577->47177 46580 401e45 22 API calls 46578->46580 46579 40e515 46585 402073 28 API calls 46579->46585 46582 40e408 46580->46582 46583 41a7b9 28 API calls 46582->46583 46587 40e414 46583->46587 46584 40e4f9 CreateThread 46584->46579 47902 41bd68 10 API calls 46584->47902 46586 40e52a 46585->46586 46588 402073 28 API calls 46586->46588 47175 40e991 88 API calls 46587->47175 46590 40e539 46588->46590 46906 41a04a 46590->46906 46591 40e419 46591->46550 46593 40e420 46591->46593 46593->46478 46595 401e45 22 API calls 46596 40e54a 46595->46596 46597 401e45 22 API calls 46596->46597 46598 40e55c 46597->46598 46599 401e45 22 API calls 46598->46599 46600 40e572 46599->46600 46601 401e45 22 API calls 46600->46601 46602 40e592 46601->46602 46603 43a3ac _strftime 39 API calls 46602->46603 46604 40e59f 46603->46604 46605 401e45 22 API calls 46604->46605 46606 40e5aa 46605->46606 46607 401e45 22 API calls 46606->46607 46608 40e5bb 46607->46608 46930 40949a 46608->46930 46611 401e45 22 API calls 46612 40e5d9 46611->46612 46613 40e5e5 46612->46613 46614 40e61e 46612->46614 47178 432df5 46613->47178 46617 401e45 22 API calls 46614->46617 46619 40e62e 46617->46619 46618 401e45 22 API calls 46620 40e601 46618->46620 46621 40e676 46619->46621 46622 40e63a 46619->46622 46623 40e608 CreateThread 46620->46623 46625 401e45 22 API calls 46621->46625 46624 432df5 new 22 API calls 46622->46624 46623->46614 47903 418b0f 101 API calls 2 library calls 46623->47903 46626 40e643 46624->46626 46627 40e67f 46625->46627 46628 401e45 22 API calls 46626->46628 46630 40e6e9 46627->46630 46631 40e68b 46627->46631 46629 40e655 46628->46629 46632 40e65c CreateThread 46629->46632 46633 401e45 22 API calls 46630->46633 46634 401e45 22 API calls 46631->46634 46632->46621 47901 418b0f 101 API calls 2 library calls 46632->47901 46636 40e6f2 46633->46636 46635 40e69b 46634->46635 46639 401e45 22 API calls 46635->46639 46637 40e737 46636->46637 46638 40e6fe 46636->46638 46967 41a168 GetComputerNameExW GetUserNameW 46637->46967 46640 401e45 22 API calls 46638->46640 46641 40e6b0 46639->46641 46644 40e707 46640->46644 47185 40ceec 31 API calls 46641->47185 46649 401e45 22 API calls 46644->46649 46652 40e71c 46649->46652 46650 40e6c3 46653 401ef3 28 API calls 46650->46653 46662 43a3ac _strftime 39 API calls 46652->46662 46656 40e6cf 46653->46656 46654 40e760 CreateThread 46657 40e781 46654->46657 46658 40e775 CreateThread 46654->46658 47871 40ecea 46654->47871 46655 40e75d SetProcessDEPPolicy 46655->46654 46659 401ee9 11 API calls 46656->46659 46660 40e796 46657->46660 46661 40e78a CreateThread 46657->46661 46658->46657 47898 41163a 137 API calls 46658->47898 46663 40e6d8 CreateThread 46659->46663 46665 40e7e9 46660->46665 46667 402073 28 API calls 46660->46667 46661->46660 47899 411c1e 38 API calls ___scrt_fastfail 46661->47899 46664 40e729 46662->46664 46663->46630 47900 401bc9 49 API calls _strftime 46663->47900 47186 40b6dc 7 API calls 46664->47186 46990 4127e7 RegOpenKeyExA 46665->46990 46668 40e7b9 46667->46668 47187 4052dd 28 API calls 46668->47187 46674 40e80a 46676 41a7b9 28 API calls 46674->46676 46678 40e81a 46676->46678 47188 412903 31 API calls 46678->47188 46682 40e830 46683 401ee9 11 API calls 46682->46683 46686 40e83b 46683->46686 46684 40e863 DeleteFileW 46685 40e86a 46684->46685 46684->46686 46685->46498 46686->46498 46686->46684 46687 40e851 Sleep 46686->46687 46687->46686 46688->46370 46689->46374 46690->46377 46691->46383 46692->46387 46693->46388 46694->46389 46695->46393 46696->46397 46697->46399 46702 44e3e8 46698->46702 46701 43782a 8 API calls 3 library calls 46701->46400 46705 44e405 46702->46705 46706 44e401 46702->46706 46704 432ec8 46704->46403 46704->46701 46705->46706 46708 448526 46705->46708 46720 4338bb 5 API calls ___raise_securityfailure 46706->46720 46709 448532 ___scrt_is_nonwritable_in_current_image 46708->46709 46721 444189 EnterCriticalSection 46709->46721 46711 448539 46722 44ea03 46711->46722 46713 448548 46719 448557 46713->46719 46733 4483ba 23 API calls 46713->46733 46716 448568 ___scrt_is_nonwritable_in_current_image 46716->46705 46717 448552 46734 448470 GetStdHandle GetFileType 46717->46734 46735 448573 LeaveCriticalSection std::_Lockit::~_Lockit 46719->46735 46720->46704 46721->46711 46723 44ea0f ___scrt_is_nonwritable_in_current_image 46722->46723 46724 44ea33 46723->46724 46725 44ea1c 46723->46725 46736 444189 EnterCriticalSection 46724->46736 46744 43eead 20 API calls __dosmaperr 46725->46744 46728 44ea6b 46745 44ea92 LeaveCriticalSection std::_Lockit::~_Lockit 46728->46745 46731 44ea21 ___scrt_is_nonwritable_in_current_image __cftof 46731->46713 46732 44ea3f 46732->46728 46737 44e954 46732->46737 46733->46717 46734->46719 46735->46716 46736->46732 46746 4443f4 46737->46746 46739 44e973 46754 445002 20 API calls _free 46739->46754 46740 44e966 46740->46739 46753 447304 11 API calls 2 library calls 46740->46753 46743 44e9c5 46743->46732 46744->46731 46745->46731 46751 444401 __Getctype 46746->46751 46747 444441 46756 43eead 20 API calls __dosmaperr 46747->46756 46748 44442c RtlAllocateHeap 46750 44443f 46748->46750 46748->46751 46750->46740 46751->46747 46751->46748 46755 441850 7 API calls 2 library calls 46751->46755 46753->46740 46754->46743 46755->46751 46756->46750 46758 433432 GetStartupInfoW 46757->46758 46758->46408 46760 44d8eb 46759->46760 46761 44d8e2 46759->46761 46760->46411 46764 44d7d8 48 API calls 4 library calls 46761->46764 46763->46411 46764->46760 46766 41b508 LoadLibraryA GetProcAddress 46765->46766 46767 41b4f8 GetModuleHandleA GetProcAddress 46765->46767 46768 41b536 GetModuleHandleA GetProcAddress 46766->46768 46769 41b526 GetModuleHandleA GetProcAddress 46766->46769 46767->46766 46770 41b562 28 API calls 46768->46770 46771 41b54e GetModuleHandleA GetProcAddress 46768->46771 46769->46768 46770->46416 46771->46770 47191 41a003 FindResourceA 46772->47191 46776 40e90a _Yarn 47201 402097 46776->47201 46779 401fc2 28 API calls 46780 40e930 46779->46780 46781 401fb8 11 API calls 46780->46781 46782 40e939 46781->46782 46783 43a620 _Yarn 21 API calls 46782->46783 46784 40e94a _Yarn 46783->46784 47207 40644c 46784->47207 46786 40e97d 46786->46418 46788 4020ec 46787->46788 46789 4023ae 11 API calls 46788->46789 46790 402106 46789->46790 46791 402549 28 API calls 46790->46791 46792 402114 46791->46792 46792->46421 47261 4020bf 46793->47261 46795 41a9f9 46796 401fb8 11 API calls 46795->46796 46797 41aa2b 46796->46797 46798 401fb8 11 API calls 46797->46798 46800 41aa33 46798->46800 46799 41a9fb 47267 404182 28 API calls 46799->47267 46803 401fb8 11 API calls 46800->46803 46805 40df28 46803->46805 46804 41aa07 46806 401fc2 28 API calls 46804->46806 46815 40f05a 46805->46815 46808 41aa10 46806->46808 46807 401fc2 28 API calls 46814 41a989 46807->46814 46810 401fb8 11 API calls 46808->46810 46809 401fb8 11 API calls 46809->46814 46811 41aa18 46810->46811 47268 41b73f 28 API calls 46811->47268 46814->46795 46814->46799 46814->46807 46814->46809 47265 404182 28 API calls 46814->47265 47266 41b73f 28 API calls 46814->47266 46816 40f066 46815->46816 46818 40f06d 46815->46818 47269 402143 11 API calls 46816->47269 46818->46426 46820 402143 46819->46820 46824 40217f 46820->46824 47270 402710 11 API calls 46820->47270 46822 402164 47271 4026f2 11 API calls std::_Deallocate 46822->47271 46824->46428 46826 401e4d 46825->46826 46827 401e55 46826->46827 47272 402138 22 API calls 46826->47272 46827->46433 46831 4020bf 11 API calls 46830->46831 46832 40530a 46831->46832 47273 403280 46832->47273 46834 405326 46834->46441 47277 4051cf 46835->47277 46837 408840 47281 402035 46837->47281 46840 401fc2 46841 401fd1 46840->46841 46848 402019 46840->46848 46842 4023ae 11 API calls 46841->46842 46843 401fda 46842->46843 46844 40201c 46843->46844 46846 401ff5 46843->46846 46845 40265a 11 API calls 46844->46845 46845->46848 47313 403078 28 API calls 46846->47313 46849 401fb8 46848->46849 46850 4023ae 11 API calls 46849->46850 46851 401fc1 46850->46851 46851->46453 46853 401fb2 46852->46853 46854 401fa9 46852->46854 46853->46459 47314 4025c0 28 API calls 46854->47314 47315 401f8b 46856->47315 46858 40c581 CreateMutexA GetLastError 46858->46477 47316 41ab12 46859->47316 46864 401fc2 28 API calls 46865 419e5a 46864->46865 46866 401fb8 11 API calls 46865->46866 46867 419e62 46866->46867 46868 41288e 31 API calls 46867->46868 46870 419eb8 46867->46870 46869 419e8b 46868->46869 46871 419e96 StrToIntA 46869->46871 46870->46485 46872 419ea4 46871->46872 46875 419ead 46871->46875 47324 41b874 22 API calls 46872->47324 46873 401fb8 11 API calls 46873->46870 46875->46873 46877 406d9e 46876->46877 46878 412831 3 API calls 46877->46878 46879 406da5 46878->46879 46879->46496 46879->46497 46881 412c4d 46880->46881 46882 40644c 28 API calls 46881->46882 46883 412c62 46882->46883 46884 4020d6 28 API calls 46883->46884 46885 412c72 46884->46885 46886 412a57 14 API calls 46885->46886 46887 412c7c 46886->46887 46888 401fb8 11 API calls 46887->46888 46889 412c89 46888->46889 46889->46569 46891 40207b 46890->46891 46892 4023ae 11 API calls 46891->46892 46893 402086 46892->46893 47325 4024cd 46893->47325 46897 412aa7 46896->46897 46898 412a70 46896->46898 46899 401fb8 11 API calls 46897->46899 46901 412a82 RegSetValueExA RegCloseKey 46898->46901 46900 40e4cf 46899->46900 46900->46571 46901->46897 46903 43a3c5 _strftime 46902->46903 47329 439703 46903->47329 46905 40e4e8 46905->46577 46905->46579 46907 41a060 GetLocalTime 46906->46907 46908 41a0fb 46906->46908 46909 4052fe 28 API calls 46907->46909 46910 401fb8 11 API calls 46908->46910 46911 41a0a2 46909->46911 46912 41a103 46910->46912 46913 408832 28 API calls 46911->46913 46914 401fb8 11 API calls 46912->46914 46915 41a0ae 46913->46915 46916 40e53e 46914->46916 47357 402ef0 46915->47357 46916->46595 46919 408832 28 API calls 46920 41a0c6 46919->46920 47362 406874 76 API calls 46920->47362 46922 41a0d4 46923 401fb8 11 API calls 46922->46923 46924 41a0e0 46923->46924 46925 401fb8 11 API calls 46924->46925 46926 41a0e9 46925->46926 46927 401fb8 11 API calls 46926->46927 46928 41a0f2 46927->46928 46929 401fb8 11 API calls 46928->46929 46929->46908 47366 401f66 46930->47366 46932 4094b1 _wcslen 46933 4094c4 46932->46933 46934 4094db 46932->46934 46935 40cf38 31 API calls 46933->46935 46936 40cf38 31 API calls 46934->46936 46937 4094cc 46935->46937 46938 4094e3 46936->46938 46939 401ef3 28 API calls 46937->46939 46940 401ef3 28 API calls 46938->46940 46966 4094d6 46939->46966 46941 4094f1 46940->46941 46942 401ee9 11 API calls 46941->46942 46944 4094f9 46942->46944 46943 401ee9 11 API calls 46946 409530 46943->46946 47398 4087f0 28 API calls 46944->47398 46948 409576 46946->46948 46949 409557 46946->46949 46947 40950b 47399 402ff4 46947->47399 47370 4086d0 46948->47370 46952 40955c 46949->46952 46953 40958e 46949->46953 46957 4086d0 28 API calls 46952->46957 46956 401ee9 11 API calls 46953->46956 46960 409596 46956->46960 46961 40956a 46957->46961 46958 401ef3 28 API calls 46962 409520 46958->46962 46960->46611 47404 409835 29 API calls 46961->47404 46965 401ee9 11 API calls 46962->46965 46964 409574 46964->46953 46965->46966 46966->46943 47601 40415e 46967->47601 46972 402ff4 28 API calls 46973 41a1cd 46972->46973 46974 401ee9 11 API calls 46973->46974 46975 41a1d6 46974->46975 46976 401ee9 11 API calls 46975->46976 46977 40e740 46976->46977 46978 401ef3 46977->46978 46979 401f02 46978->46979 46986 401f4a 46978->46986 46980 402232 11 API calls 46979->46980 46981 401f0b 46980->46981 46982 401f4d 46981->46982 46984 401f26 46981->46984 46983 402316 11 API calls 46982->46983 46983->46986 47695 40303c 28 API calls 46984->47695 46987 401ee9 46986->46987 46988 402232 11 API calls 46987->46988 46989 401ef2 46988->46989 46989->46654 46989->46655 46991 412808 RegQueryValueExA RegCloseKey 46990->46991 46992 40e801 46990->46992 46991->46992 46992->46522 46992->46674 46994 41a7cd 46993->46994 46995 40ae7e 28 API calls 46994->46995 46996 41a7d5 46995->46996 46996->46507 46998 40e8af 46997->46998 46999 412d27 RegDeleteValueW 46997->46999 46998->46516 46999->46998 47001 40d25f 47000->47001 47002 4127e7 3 API calls 47001->47002 47003 40d266 47002->47003 47007 40d285 47003->47007 47696 4016e7 47003->47696 47005 40d273 47699 412b5f RegCreateKeyA 47005->47699 47008 414271 47007->47008 47009 4020bf 11 API calls 47008->47009 47010 414285 47009->47010 47713 41a40e 47010->47713 47013 4020bf 11 API calls 47014 41429b 47013->47014 47015 401e45 22 API calls 47014->47015 47016 4142a9 47015->47016 47017 43a3ac _strftime 39 API calls 47016->47017 47018 4142b6 47017->47018 47019 4142c8 47018->47019 47020 4142bb Sleep 47018->47020 47021 402073 28 API calls 47019->47021 47020->47019 47022 4142d7 47021->47022 47023 401e45 22 API calls 47022->47023 47024 4142e0 47023->47024 47025 4020d6 28 API calls 47024->47025 47026 4142eb 47025->47026 47027 41a976 28 API calls 47026->47027 47028 4142f3 47027->47028 47717 40487e WSAStartup 47028->47717 47030 4142fd 47031 401e45 22 API calls 47030->47031 47032 414306 47031->47032 47033 401e45 22 API calls 47032->47033 47058 414385 47032->47058 47034 41431f 47033->47034 47035 401e45 22 API calls 47034->47035 47036 414330 47035->47036 47039 401e45 22 API calls 47036->47039 47037 41a976 28 API calls 47037->47058 47038 401e45 22 API calls 47038->47058 47040 414341 47039->47040 47042 401e45 22 API calls 47040->47042 47041 406292 28 API calls 47041->47058 47043 414352 47042->47043 47044 401e45 22 API calls 47043->47044 47046 414363 47044->47046 47045 401fc2 28 API calls 47045->47058 47047 401e45 22 API calls 47046->47047 47048 414375 47047->47048 47820 40471d 88 API calls 47048->47820 47050 41a04a 79 API calls 47050->47058 47052 4144d3 WSAGetLastError 47821 41b45a 30 API calls 47052->47821 47057 402073 28 API calls 47057->47058 47058->47037 47058->47038 47058->47041 47058->47045 47058->47050 47058->47052 47058->47057 47061 4052fe 28 API calls 47058->47061 47062 401e6d 11 API calls 47058->47062 47063 402ef0 28 API calls 47058->47063 47064 43a3ac _strftime 39 API calls 47058->47064 47065 408832 28 API calls 47058->47065 47067 401fb8 11 API calls 47058->47067 47069 4086d0 28 API calls 47058->47069 47071 4020d6 28 API calls 47058->47071 47073 41288e 31 API calls 47058->47073 47077 414702 47058->47077 47718 414230 47058->47718 47724 40480d 47058->47724 47731 404f31 47058->47731 47746 4048a8 connect 47058->47746 47806 404e06 WaitForSingleObject 47058->47806 47822 4052dd 28 API calls 47058->47822 47823 413904 50 API calls 47058->47823 47824 440751 20 API calls 47058->47824 47825 4129e0 RegOpenKeyExA RegQueryValueExA RegCloseKey 47058->47825 47061->47058 47062->47058 47063->47058 47066 414e01 Sleep 47064->47066 47065->47058 47066->47058 47067->47058 47069->47058 47071->47058 47073->47058 47074 40415e 28 API calls 47074->47077 47077->47058 47077->47074 47078 401e45 22 API calls 47077->47078 47082 41a6e9 28 API calls 47077->47082 47084 41a879 28 API calls 47077->47084 47087 408832 28 API calls 47077->47087 47088 402e81 28 API calls 47077->47088 47090 402ef0 28 API calls 47077->47090 47092 401fb8 11 API calls 47077->47092 47093 401ee9 11 API calls 47077->47093 47096 402073 28 API calls 47077->47096 47097 41a04a 79 API calls 47077->47097 47098 414da3 CreateThread 47077->47098 47826 40d28d 6 API calls 47077->47826 47827 41a79d 28 API calls 47077->47827 47829 41a641 GetTickCount 47077->47829 47830 41a5f1 30 API calls ___scrt_fastfail 47077->47830 47831 40ee14 29 API calls 47077->47831 47832 402f11 28 API calls 47077->47832 47833 408853 28 API calls 47077->47833 47834 404a81 60 API calls _Yarn 47077->47834 47835 404bf0 112 API calls _Yarn 47077->47835 47836 40a5c4 84 API calls 47077->47836 47079 414780 GetTickCount 47078->47079 47828 41a6e9 28 API calls 47079->47828 47082->47077 47084->47077 47087->47077 47088->47077 47090->47077 47092->47077 47093->47077 47096->47077 47097->47077 47098->47077 47861 419872 104 API calls 47098->47861 47099->46434 47100->46442 47101->46446 47104 4020bf 11 API calls 47103->47104 47105 40629e 47104->47105 47106 403280 28 API calls 47105->47106 47107 4062bb 47106->47107 47107->46467 47109 40e0a8 47108->47109 47110 41285b RegQueryValueExA RegCloseKey 47108->47110 47109->46464 47109->46486 47110->47109 47111->46470 47112->46505 47113->46497 47114->46487 47115->46504 47117 401f66 11 API calls 47116->47117 47118 40cf54 47117->47118 47119 40cf74 47118->47119 47120 40cfa9 47118->47120 47121 40cf6a 47118->47121 47862 41a10f 29 API calls 47119->47862 47124 41ab12 GetCurrentProcess 47120->47124 47123 40d09d GetLongPathNameW 47121->47123 47126 40415e 28 API calls 47123->47126 47127 40cfae 47124->47127 47125 40cf7d 47130 401ef3 28 API calls 47125->47130 47131 40d0b2 47126->47131 47128 40cfb2 47127->47128 47129 40d004 47127->47129 47133 40415e 28 API calls 47128->47133 47132 40415e 28 API calls 47129->47132 47169 40cf87 47130->47169 47134 40415e 28 API calls 47131->47134 47135 40d012 47132->47135 47136 40cfc0 47133->47136 47137 40d0c1 47134->47137 47142 40415e 28 API calls 47135->47142 47143 40415e 28 API calls 47136->47143 47865 40d2d5 28 API calls 47137->47865 47139 401ee9 11 API calls 47139->47121 47140 40d0d4 47866 402f85 28 API calls 47140->47866 47145 40d028 47142->47145 47146 40cfd6 47143->47146 47144 40d0df 47867 402f85 28 API calls 47144->47867 47864 402f85 28 API calls 47145->47864 47863 402f85 28 API calls 47146->47863 47150 40d0e9 47153 401ee9 11 API calls 47150->47153 47151 40d033 47154 401ef3 28 API calls 47151->47154 47152 40cfe1 47155 401ef3 28 API calls 47152->47155 47156 40d0f3 47153->47156 47157 40d03e 47154->47157 47158 40cfec 47155->47158 47159 401ee9 11 API calls 47156->47159 47160 401ee9 11 API calls 47157->47160 47161 401ee9 11 API calls 47158->47161 47162 40d0fc 47159->47162 47163 40d047 47160->47163 47164 40cff5 47161->47164 47165 401ee9 11 API calls 47162->47165 47166 401ee9 11 API calls 47163->47166 47167 401ee9 11 API calls 47164->47167 47168 40d105 47165->47168 47166->47169 47167->47169 47170 401ee9 11 API calls 47168->47170 47169->47139 47171 40d10e 47170->47171 47172 401ee9 11 API calls 47171->47172 47173 40d117 47172->47173 47173->46557 47174->46570 47175->46591 47176->46550 47177->46584 47181 432dfa 47178->47181 47179 43a620 _Yarn 21 API calls 47179->47181 47180 40e5ee 47180->46618 47181->47179 47181->47180 47868 441850 7 API calls 2 library calls 47181->47868 47869 433530 RaiseException __CxxThrowException@8 new 47181->47869 47870 433513 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47181->47870 47185->46650 47186->46637 47188->46682 47189->46492 47192 41a020 LoadResource LockResource SizeofResource 47191->47192 47193 40e8fb 47191->47193 47192->47193 47194 43a620 47193->47194 47196 444a38 __Getctype 47194->47196 47195 444a76 47211 43eead 20 API calls __dosmaperr 47195->47211 47196->47195 47198 444a61 RtlAllocateHeap 47196->47198 47210 441850 7 API calls 2 library calls 47196->47210 47198->47196 47199 444a74 47198->47199 47199->46776 47202 40209f 47201->47202 47212 4023ae 47202->47212 47204 4020aa 47216 4024ea 47204->47216 47206 4020b9 47206->46779 47208 402097 28 API calls 47207->47208 47209 406460 47208->47209 47209->46786 47210->47196 47211->47199 47213 402408 47212->47213 47214 4023b8 47212->47214 47213->47204 47214->47213 47223 402787 11 API calls std::_Deallocate 47214->47223 47217 4024fa 47216->47217 47218 402515 47217->47218 47219 402500 47217->47219 47234 4028c8 47218->47234 47224 402549 47219->47224 47222 402513 47222->47206 47223->47213 47245 402868 47224->47245 47226 40255d 47227 402572 47226->47227 47228 402587 47226->47228 47250 402a14 22 API calls 47227->47250 47230 4028c8 28 API calls 47228->47230 47233 402585 47230->47233 47231 40257b 47251 4029ba 22 API calls 47231->47251 47233->47222 47235 4028d1 47234->47235 47236 402933 47235->47236 47237 4028db 47235->47237 47259 402884 22 API calls std::_Xinvalid_argument 47236->47259 47240 4028e4 47237->47240 47241 4028f7 47237->47241 47253 402c8e 47240->47253 47243 4028f5 47241->47243 47244 4023ae 11 API calls 47241->47244 47243->47222 47244->47243 47246 402870 47245->47246 47247 402878 47246->47247 47252 402c83 22 API calls 47246->47252 47247->47226 47250->47231 47251->47233 47254 402c98 __EH_prolog 47253->47254 47260 402e34 22 API calls 47254->47260 47256 4023ae 11 API calls 47258 402d72 47256->47258 47257 402d04 47257->47256 47258->47243 47260->47257 47262 4020c7 47261->47262 47263 4023ae 11 API calls 47262->47263 47264 4020d2 47263->47264 47264->46814 47265->46814 47266->46814 47267->46804 47268->46795 47269->46818 47270->46822 47271->46824 47274 40328a 47273->47274 47275 4028c8 28 API calls 47274->47275 47276 4032a9 47274->47276 47275->47276 47276->46834 47278 4051db 47277->47278 47287 405254 47278->47287 47280 4051e8 47280->46837 47282 402041 47281->47282 47283 4023ae 11 API calls 47282->47283 47284 40205b 47283->47284 47309 40265a 47284->47309 47288 405262 47287->47288 47289 405268 47288->47289 47290 40527e 47288->47290 47298 4025d0 47289->47298 47291 4052d5 47290->47291 47293 405296 47290->47293 47307 402884 22 API calls std::_Xinvalid_argument 47291->47307 47295 4028c8 28 API calls 47293->47295 47297 40527c 47293->47297 47295->47297 47297->47280 47299 402868 22 API calls 47298->47299 47300 4025e2 47299->47300 47301 402652 47300->47301 47303 402609 47300->47303 47308 402884 22 API calls std::_Xinvalid_argument 47301->47308 47305 4028c8 28 API calls 47303->47305 47306 40261b 47303->47306 47305->47306 47306->47297 47310 40266b 47309->47310 47311 4023ae 11 API calls 47310->47311 47312 40206d 47311->47312 47312->46840 47313->46848 47314->46853 47317 41ab1f GetCurrentProcess 47316->47317 47318 419e2c 47316->47318 47317->47318 47319 41288e RegOpenKeyExA 47318->47319 47320 4128bc RegQueryValueExA RegCloseKey 47319->47320 47321 4128e6 47319->47321 47320->47321 47322 402073 28 API calls 47321->47322 47323 4128fb 47322->47323 47323->46864 47324->46875 47326 4024d9 47325->47326 47327 4024ea 28 API calls 47326->47327 47328 402091 47327->47328 47328->46563 47345 43a30a 47329->47345 47331 439750 47351 4390b7 35 API calls 3 library calls 47331->47351 47332 439715 47332->47331 47333 43972a 47332->47333 47344 43972f __cftof 47332->47344 47350 43eead 20 API calls __dosmaperr 47333->47350 47337 43975c 47338 43978b 47337->47338 47352 43a34f 39 API calls __Tolower 47337->47352 47341 4397f7 47338->47341 47353 43a2b6 20 API calls 2 library calls 47338->47353 47354 43a2b6 20 API calls 2 library calls 47341->47354 47342 4398be _strftime 47342->47344 47355 43eead 20 API calls __dosmaperr 47342->47355 47344->46905 47346 43a322 47345->47346 47347 43a30f 47345->47347 47346->47332 47356 43eead 20 API calls __dosmaperr 47347->47356 47349 43a314 __cftof 47349->47332 47350->47344 47351->47337 47352->47337 47353->47341 47354->47342 47355->47344 47356->47349 47363 401f90 47357->47363 47359 402efe 47360 402035 11 API calls 47359->47360 47361 402f0d 47360->47361 47361->46919 47362->46922 47364 4025d0 28 API calls 47363->47364 47365 401f9d 47364->47365 47365->47359 47367 401f6e 47366->47367 47405 402232 47367->47405 47369 401f79 47369->46932 47371 4086e6 47370->47371 47372 402232 11 API calls 47371->47372 47373 408700 47372->47373 47410 404247 47373->47410 47375 40870e 47376 40977e 47375->47376 47441 40ae66 47376->47441 47379 4097d2 47381 402073 28 API calls 47379->47381 47380 4097aa 47382 402073 28 API calls 47380->47382 47383 4097dd 47381->47383 47384 4097b4 47382->47384 47385 402073 28 API calls 47383->47385 47386 41a7b9 28 API calls 47384->47386 47387 4097ec 47385->47387 47388 4097c2 47386->47388 47389 41a04a 79 API calls 47387->47389 47445 40a6da 31 API calls _Yarn 47388->47445 47391 4097f1 CreateThread 47389->47391 47393 409818 CreateThread 47391->47393 47394 40980c CreateThread 47391->47394 47447 409880 47391->47447 47392 4097c9 47395 401fb8 11 API calls 47392->47395 47396 401ee9 11 API calls 47393->47396 47453 40988c 47393->47453 47394->47393 47450 40986a 47394->47450 47395->47379 47397 40982c 47396->47397 47397->46953 47398->46947 47573 403202 47399->47573 47401 403002 47577 403242 47401->47577 47404->46964 47600 409876 162 API calls 47404->47600 47406 40228c 47405->47406 47407 40223c 47405->47407 47406->47369 47407->47406 47409 402759 11 API calls std::_Deallocate 47407->47409 47409->47406 47411 402868 22 API calls 47410->47411 47412 40425b 47411->47412 47413 404270 47412->47413 47414 404285 47412->47414 47420 4042bf 22 API calls 47413->47420 47422 4027c6 47414->47422 47417 404279 47421 402c28 22 API calls 47417->47421 47419 404283 47419->47375 47420->47417 47421->47419 47423 4027cf 47422->47423 47424 402831 47423->47424 47425 4027d9 47423->47425 47439 402884 22 API calls std::_Xinvalid_argument 47424->47439 47428 4027e2 47425->47428 47431 4027f5 47425->47431 47433 402aca 47428->47433 47430 4027f3 47430->47419 47431->47430 47432 402232 11 API calls 47431->47432 47432->47430 47434 402ad4 __EH_prolog 47433->47434 47440 402e25 22 API calls 47434->47440 47436 402232 11 API calls 47438 402bae 47436->47438 47437 402b40 47437->47436 47438->47430 47440->47437 47442 40979c 47441->47442 47443 40ae6f 47441->47443 47442->47379 47442->47380 47446 40aee6 28 API calls 47443->47446 47445->47392 47446->47442 47456 409c99 47447->47456 47503 4098bb 47450->47503 47520 40a249 47453->47520 47457 409cae Sleep 47456->47457 47477 409be8 47457->47477 47459 409889 47460 409cee CreateDirectoryW 47465 409cc0 47460->47465 47461 409cff GetFileAttributesW 47461->47465 47462 409d16 SetFileAttributesW 47462->47465 47463 4020bf 11 API calls 47471 409d61 47463->47471 47465->47457 47465->47459 47465->47460 47465->47461 47465->47462 47467 401e45 22 API calls 47465->47467 47465->47471 47490 41ad6a 47465->47490 47466 409d90 PathFileExistsW 47466->47471 47467->47465 47469 402097 28 API calls 47469->47471 47470 409e99 SetFileAttributesW 47470->47465 47471->47463 47471->47466 47471->47469 47471->47470 47472 401fc2 28 API calls 47471->47472 47473 40644c 28 API calls 47471->47473 47474 401fb8 11 API calls 47471->47474 47476 401fb8 11 API calls 47471->47476 47500 41adfe 32 API calls 47471->47500 47501 41ae6b CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 47471->47501 47472->47471 47473->47471 47474->47471 47476->47465 47478 409c95 47477->47478 47480 409bfe 47477->47480 47478->47465 47479 409c1d CreateFileW 47479->47480 47481 409c2b GetFileSize 47479->47481 47480->47479 47482 409c60 FindCloseChangeNotification 47480->47482 47483 409c72 47480->47483 47484 409c55 Sleep 47480->47484 47485 409c4e 47480->47485 47481->47480 47481->47482 47482->47480 47483->47478 47487 4086d0 28 API calls 47483->47487 47484->47482 47502 40a64f 83 API calls 47485->47502 47488 409c8e 47487->47488 47489 40977e 123 API calls 47488->47489 47489->47478 47491 41ad7d CreateFileW 47490->47491 47493 41adb6 47491->47493 47494 41adba 47491->47494 47493->47465 47495 41adc1 SetFilePointer 47494->47495 47496 41adda WriteFile 47494->47496 47495->47496 47497 41add1 CloseHandle 47495->47497 47498 41aded 47496->47498 47499 41adef FindCloseChangeNotification 47496->47499 47497->47493 47498->47499 47499->47493 47500->47471 47501->47471 47502->47484 47504 4098d4 GetModuleHandleA SetWindowsHookExA 47503->47504 47505 409936 GetMessageA 47503->47505 47504->47505 47506 4098f0 GetLastError 47504->47506 47507 409948 TranslateMessage DispatchMessageA 47505->47507 47517 409873 47505->47517 47518 41a6e9 28 API calls 47506->47518 47507->47505 47507->47517 47509 409901 47519 4052dd 28 API calls 47509->47519 47518->47509 47521 40a257 47520->47521 47522 409895 47521->47522 47523 40a2b1 Sleep GetForegroundWindow GetWindowTextLengthW 47521->47523 47526 401f66 11 API calls 47521->47526 47530 40a2f7 GetWindowTextW 47521->47530 47548 40a311 47521->47548 47556 432cf1 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 47521->47556 47557 43307b 23 API calls __onexit 47521->47557 47558 432cb2 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 47521->47558 47550 40ae7e 47523->47550 47526->47521 47528 41a641 GetTickCount 47528->47548 47530->47521 47532 401ee9 11 API calls 47532->47548 47533 40a44f 47535 401ee9 11 API calls 47533->47535 47534 40ae66 28 API calls 47534->47548 47535->47522 47536 40a3bc Sleep 47536->47548 47539 402073 28 API calls 47539->47548 47540 4086d0 28 API calls 47540->47548 47543 408832 28 API calls 47543->47548 47545 402ff4 28 API calls 47545->47548 47546 41a7b9 28 API calls 47546->47548 47547 409ba9 29 API calls 47547->47548 47548->47521 47548->47528 47548->47532 47548->47533 47548->47534 47548->47536 47548->47539 47548->47540 47548->47543 47548->47545 47548->47546 47548->47547 47549 401fb8 11 API calls 47548->47549 47559 4086b8 28 API calls 47548->47559 47560 40a6da 31 API calls _Yarn 47548->47560 47561 40aef6 28 API calls 47548->47561 47562 40acbe 40 API calls 2 library calls 47548->47562 47563 440751 20 API calls 47548->47563 47564 4052dd 28 API calls 47548->47564 47549->47548 47551 40ae86 47550->47551 47552 402232 11 API calls 47551->47552 47553 40ae91 47552->47553 47565 40aea6 47553->47565 47555 40aea0 47555->47521 47557->47521 47558->47521 47559->47548 47560->47548 47561->47548 47562->47548 47563->47548 47566 40aee0 47565->47566 47567 40aeb2 47565->47567 47572 402884 22 API calls std::_Xinvalid_argument 47566->47572 47569 4027c6 28 API calls 47567->47569 47571 40aebc 47569->47571 47571->47555 47574 40320e 47573->47574 47583 4035f8 47574->47583 47576 40321b 47576->47401 47578 40324e 47577->47578 47579 402232 11 API calls 47578->47579 47580 403268 47579->47580 47596 402316 47580->47596 47584 403606 47583->47584 47585 403624 47584->47585 47586 40360c 47584->47586 47588 40363c 47585->47588 47589 40367e 47585->47589 47594 403686 28 API calls 47586->47594 47592 4027c6 28 API calls 47588->47592 47593 403622 47588->47593 47595 402884 22 API calls std::_Xinvalid_argument 47589->47595 47592->47593 47593->47576 47594->47593 47597 402327 47596->47597 47598 402232 11 API calls 47597->47598 47599 4023a7 47598->47599 47599->46958 47602 404166 47601->47602 47603 402232 11 API calls 47602->47603 47604 404171 47603->47604 47612 40419c 47604->47612 47607 4042dc 47623 404333 47607->47623 47609 4042ea 47610 403242 11 API calls 47609->47610 47611 4042f9 47610->47611 47611->46972 47613 4041a8 47612->47613 47616 4041b9 47613->47616 47615 40417c 47615->47607 47617 4041c9 47616->47617 47618 4041e6 47617->47618 47619 4041cf 47617->47619 47620 4027c6 28 API calls 47618->47620 47621 404247 28 API calls 47619->47621 47622 4041e4 47620->47622 47621->47622 47622->47615 47624 40433f 47623->47624 47627 404351 47624->47627 47626 40434d 47626->47609 47628 40435f 47627->47628 47629 40437e 47628->47629 47630 404365 47628->47630 47631 402868 22 API calls 47629->47631 47693 4034c6 28 API calls 47630->47693 47632 404386 47631->47632 47634 4043f9 47632->47634 47635 40439f 47632->47635 47694 402884 22 API calls std::_Xinvalid_argument 47634->47694 47637 4027c6 28 API calls 47635->47637 47647 40437c 47635->47647 47637->47647 47647->47626 47693->47647 47695->46986 47702 43939a 47696->47702 47700 412b77 RegSetValueExA RegCloseKey 47699->47700 47701 412ba1 47699->47701 47700->47701 47701->47007 47705 43931b 47702->47705 47704 4016ed 47704->47005 47706 43932a 47705->47706 47707 43933e 47705->47707 47711 43eead 20 API calls __dosmaperr 47706->47711 47710 43932f __alldvrm __cftof 47707->47710 47712 4471d7 11 API calls 2 library calls 47707->47712 47710->47704 47711->47710 47712->47710 47716 41a454 _Yarn ___scrt_fastfail 47713->47716 47714 402073 28 API calls 47715 414290 47714->47715 47715->47013 47716->47714 47717->47030 47719 414249 WSASetLastError 47718->47719 47720 41423f 47718->47720 47719->47058 47837 4140cd 29 API calls ___std_exception_copy 47720->47837 47722 414244 47722->47719 47725 404826 socket 47724->47725 47726 404819 47724->47726 47728 404840 CreateEventW 47725->47728 47729 404822 47725->47729 47838 40487e WSAStartup 47726->47838 47728->47058 47729->47058 47730 40481e 47730->47725 47730->47729 47732 404f45 47731->47732 47733 404fca 47731->47733 47734 404f4e 47732->47734 47735 404fa0 CreateEventA CreateThread 47732->47735 47736 404f5d GetLocalTime 47732->47736 47733->47058 47734->47735 47735->47733 47841 405130 47735->47841 47839 41a6e9 28 API calls 47736->47839 47738 404f71 47840 4052dd 28 API calls 47738->47840 47747 4049fb 47746->47747 47751 4048ce 47746->47751 47748 40495e 47747->47748 47749 404a01 WSAGetLastError 47747->47749 47748->47058 47749->47748 47752 404a11 47749->47752 47750 404903 47845 41f56b 27 API calls 47750->47845 47751->47748 47751->47750 47754 4052fe 28 API calls 47751->47754 47755 404912 47752->47755 47756 404a16 47752->47756 47758 4048ef 47754->47758 47761 402073 28 API calls 47755->47761 47856 41b45a 30 API calls 47756->47856 47757 40490b 47757->47755 47760 404921 47757->47760 47762 402073 28 API calls 47758->47762 47771 404930 47760->47771 47772 404967 47760->47772 47764 404a60 47761->47764 47765 4048fe 47762->47765 47763 404a20 47857 4052dd 28 API calls 47763->47857 47767 402073 28 API calls 47764->47767 47768 41a04a 79 API calls 47765->47768 47773 404a6f 47767->47773 47768->47750 47776 402073 28 API calls 47771->47776 47853 42034b 53 API calls 47772->47853 47777 41a04a 79 API calls 47773->47777 47780 40493f 47776->47780 47777->47748 47779 40496f 47782 4049a4 47779->47782 47783 404974 47779->47783 47784 402073 28 API calls 47780->47784 47855 41f711 28 API calls 47782->47855 47786 402073 28 API calls 47783->47786 47787 40494e 47784->47787 47789 404983 47786->47789 47790 41a04a 79 API calls 47787->47790 47792 402073 28 API calls 47789->47792 47804 404953 47790->47804 47791 4049ac 47793 4049d9 CreateEventW CreateEventW 47791->47793 47794 402073 28 API calls 47791->47794 47795 404992 47792->47795 47793->47748 47796 4049c2 47794->47796 47797 41a04a 79 API calls 47795->47797 47799 402073 28 API calls 47796->47799 47800 404997 47797->47800 47801 4049d1 47799->47801 47854 41f9bd 51 API calls 47800->47854 47803 41a04a 79 API calls 47801->47803 47805 4049d6 47803->47805 47846 41f5ab 47804->47846 47805->47793 47807 404e20 SetEvent CloseHandle 47806->47807 47808 404e37 closesocket 47806->47808 47810 404eb8 47807->47810 47809 404e44 47808->47809 47811 404e53 47809->47811 47812 404e5a 47809->47812 47810->47058 47860 4050c4 83 API calls 47811->47860 47814 404e6c WaitForSingleObject 47812->47814 47815 404eae SetEvent CloseHandle 47812->47815 47816 41f5ab 3 API calls 47814->47816 47815->47810 47817 404e7b SetEvent WaitForSingleObject 47816->47817 47818 41f5ab 3 API calls 47817->47818 47819 404e93 SetEvent FindCloseChangeNotification FindCloseChangeNotification 47818->47819 47819->47815 47820->47058 47821->47058 47823->47058 47824->47058 47825->47058 47826->47077 47827->47077 47828->47077 47829->47077 47830->47077 47831->47077 47832->47077 47833->47077 47834->47077 47835->47077 47836->47077 47837->47722 47838->47730 47839->47738 47844 40513c 101 API calls 47841->47844 47843 405139 47844->47843 47845->47757 47847 41f5b3 47846->47847 47848 41d01c 47846->47848 47847->47748 47849 41d02a 47848->47849 47858 41c166 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47848->47858 47859 41cd4c DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47849->47859 47852 41d031 47853->47779 47854->47804 47855->47791 47856->47763 47858->47849 47859->47852 47860->47812 47862->47125 47863->47152 47864->47151 47865->47140 47866->47144 47867->47150 47868->47181 47873 40ed05 47871->47873 47872 412831 3 API calls 47872->47873 47873->47872 47874 40eda9 47873->47874 47876 40ed99 Sleep 47873->47876 47881 40ed37 47873->47881 47877 4086d0 28 API calls 47874->47877 47875 4086d0 28 API calls 47875->47881 47876->47873 47878 40edb4 47877->47878 47882 41a7b9 28 API calls 47878->47882 47880 41a7b9 28 API calls 47880->47881 47881->47875 47881->47876 47881->47880 47886 401ee9 11 API calls 47881->47886 47889 402073 28 API calls 47881->47889 47893 412a57 14 API calls 47881->47893 47904 40c5a4 111 API calls ___scrt_fastfail 47881->47904 47905 412afc 14 API calls 47881->47905 47884 40edc0 47882->47884 47906 412afc 14 API calls 47884->47906 47886->47881 47887 40edd3 47888 401ee9 11 API calls 47887->47888 47890 40eddf 47888->47890 47889->47881 47891 402073 28 API calls 47890->47891 47892 40edf0 47891->47892 47894 412a57 14 API calls 47892->47894 47893->47881 47895 40ee03 47894->47895 47907 411d93 TerminateProcess WaitForSingleObject 47895->47907 47897 40ee0b ExitProcess 47908 411d31 61 API calls 47898->47908 47905->47881 47906->47887 47907->47897 47909 425556 47914 4255d3 send 47909->47914 47915 4254e7 47921 4255bc recv 47915->47921 47922 41c8c8 47923 41c8dd _Yarn ___scrt_fastfail 47922->47923 47924 41cae0 47923->47924 47926 4317cf 21 API calls 47923->47926 47929 41ca94 47924->47929 47936 41c46d DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 47924->47936 47928 41ca8d ___scrt_fastfail 47926->47928 47927 41caf1 47927->47929 47937 4317cf 47927->47937 47928->47929 47931 4317cf 21 API calls 47928->47931 47934 41caba ___scrt_fastfail 47931->47934 47932 41cb2a ___scrt_fastfail 47932->47929 47942 431e55 47932->47942 47934->47929 47935 4317cf 21 API calls 47934->47935 47935->47924 47936->47927 47938 4317dd 47937->47938 47940 4317d9 47937->47940 47939 43a620 _Yarn 21 API calls 47938->47939 47941 4317e2 47939->47941 47940->47932 47941->47932 47945 431d74 47942->47945 47944 431e5d 47944->47929 47946 431d8d 47945->47946 47950 431d83 47945->47950 47947 4317cf 21 API calls 47946->47947 47946->47950 47948 431dae 47947->47948 47948->47950 47951 432142 CryptAcquireContextA 47948->47951 47950->47944 47952 432163 CryptGenRandom 47951->47952 47954 43215e 47951->47954 47953 432178 CryptReleaseContext 47952->47953 47952->47954 47953->47954 47954->47950 47955 42e1f8 47956 42e203 47955->47956 47957 42e217 47956->47957 47959 4317f9 47956->47959 47960 431808 47959->47960 47962 431804 47959->47962 47963 43f7dd 47960->47963 47962->47957 47964 444a86 47963->47964 47965 444a93 47964->47965 47966 444a9e 47964->47966 47976 444a38 21 API calls 3 library calls 47965->47976 47968 444aa6 47966->47968 47974 444aaf __Getctype 47966->47974 47977 445002 20 API calls _free 47968->47977 47969 444ab4 47978 43eead 20 API calls __dosmaperr 47969->47978 47970 444ad9 RtlReAllocateHeap 47973 444a9b 47970->47973 47970->47974 47973->47962 47974->47969 47974->47970 47979 441850 7 API calls 2 library calls 47974->47979 47976->47973 47977->47973 47978->47973 47979->47974 47980 43a728 47983 43a734 _swprintf ___scrt_is_nonwritable_in_current_image 47980->47983 47981 43a742 47996 43eead 20 API calls __dosmaperr 47981->47996 47983->47981 47985 43a76c 47983->47985 47984 43a747 ___scrt_is_nonwritable_in_current_image __cftof 47991 444189 EnterCriticalSection 47985->47991 47987 43a777 47992 43a818 47987->47992 47991->47987 47993 43a826 47992->47993 47995 43a782 47993->47995 47998 447fec 36 API calls 2 library calls 47993->47998 47997 43a79f LeaveCriticalSection std::_Lockit::~_Lockit 47995->47997 47996->47984 47997->47984 47998->47993 47999 40163e 48000 401646 47999->48000 48001 401649 47999->48001 48002 401688 48001->48002 48004 401676 48001->48004 48003 432df5 new 22 API calls 48002->48003 48005 40167c 48003->48005 48006 432df5 new 22 API calls 48004->48006 48006->48005

                                  Executed Functions

                                  Function 0041B4C9 Relevance: 117.4, APIs: 40, Strings: 27, Instructions: 143libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4DE
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B4E7
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4FE
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B501
                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B513
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B516
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B52C
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B52F
                                  • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040DEE5), ref: 0041B540
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B543
                                  • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040DEE5), ref: 0041B558
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B55B
                                  • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040DEE5), ref: 0041B56C
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B56F
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040DEE5), ref: 0041B57B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B57E
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040DEE5), ref: 0041B590
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B593
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040DEE5), ref: 0041B5A0
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B5A3
                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040DEE5), ref: 0041B5B4
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B5B7
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040DEE5), ref: 0041B5C4
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B5C7
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040DEE5), ref: 0041B5D9
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B5DC
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040DEE5), ref: 0041B5E9
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B5EC
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040DEE5), ref: 0041B5F9
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B5FC
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040DEE5), ref: 0041B60E
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B611
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040DEE5), ref: 0041B61F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B622
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040DEE5), ref: 0041B62F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B632
                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040DEE5), ref: 0041B644
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B647
                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040DEE5), ref: 0041B654
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041B657
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule$LibraryLoad
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll$ntdll.dll$shcore$user32
                                  • API String ID: 551388010-626199206
                                  • Opcode ID: d2d1844e2719a9dcaac12d858f5210b20b1b817276e2085d58da0c67cb1bf55f
                                  • Instruction ID: 5a53dc12768b909e1e2e060ec693a1e80cbb19dbcc6530350e1da79dd032a68e
                                  • Opcode Fuzzy Hash: d2d1844e2719a9dcaac12d858f5210b20b1b817276e2085d58da0c67cb1bf55f
                                  • Instruction Fuzzy Hash: C441EEA0E407187AD620BFB65D49E1B3E9CEA41B547110837B508B3551FAFCA8908F6F
                                  Function 004098BB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1178 4098bb-4098d2 1179 4098d4-4098ee GetModuleHandleA SetWindowsHookExA 1178->1179 1180 409936-409946 GetMessageA 1178->1180 1179->1180 1181 4098f0-409934 GetLastError call 41a6e9 call 4052dd call 402073 call 41a04a call 401fb8 1179->1181 1182 409962 1180->1182 1183 409948-409960 TranslateMessage DispatchMessageA 1180->1183 1185 409964-409969 1181->1185 1182->1185 1183->1180 1183->1182
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004098D6
                                  • SetWindowsHookExA.USER32(0000000D,004098A7,00000000), ref: 004098E4
                                  • GetLastError.KERNEL32 ref: 004098F0
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040993E
                                  • TranslateMessage.USER32(?), ref: 0040994D
                                  • DispatchMessageA.USER32(?), ref: 00409958
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                  • String ID: @0G$Keylogger initialization failure: error
                                  • API String ID: 3219506041-3274857593
                                  • Opcode ID: 75334eea5a16911a312285d66ac90c2fa49c6d9d23ed2c80bc0e17c84790d77e
                                  • Instruction ID: c40f6cef292aa3bb57f49984c9f8b97dc6da6adf0f265d4e9e2bb6cec8c4e7f3
                                  • Opcode Fuzzy Hash: 75334eea5a16911a312285d66ac90c2fa49c6d9d23ed2c80bc0e17c84790d77e
                                  • Instruction Fuzzy Hash: E81154726053016BC7107B76EC0A86B77ECDB95715F10467EF891E22A2EB38D940C76A
                                  Function 0040ECEA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 88sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00412831: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                                    • Part of subcall function 00412831: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                                    • Part of subcall function 00412831: RegCloseKey.ADVAPI32(?), ref: 0041287A
                                  • Sleep.KERNELBASE(00000BB8), ref: 0040ED9E
                                  • ExitProcess.KERNEL32 ref: 0040EE0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                  • String ID: 2G$4.6.0 Pro$82G$override$pth_unenc
                                  • API String ID: 2281282204-2513004603
                                  • Opcode ID: 7548af7d63e9ffe02ea3c5f8f594128dcc27260e8176ecd624eff70da54d0d47
                                  • Instruction ID: 45cdfc5c20f0b08445f9514382da16a4fbbca6339717cc3b6e195a3b8059c3c5
                                  • Opcode Fuzzy Hash: 7548af7d63e9ffe02ea3c5f8f594128dcc27260e8176ecd624eff70da54d0d47
                                  • Instruction Fuzzy Hash: 2721DE31B0020127C608B6B79957AAF35999F80708F50447FF809AA2D7EEBD8A5583DF
                                  Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1403 404f31-404f3f 1404 404f45-404f4c 1403->1404 1405 404fca 1403->1405 1407 404f54-404f5b 1404->1407 1408 404f4e-404f52 1404->1408 1406 404fcc-404fd1 1405->1406 1409 404fa0-404fc8 CreateEventA CreateThread 1407->1409 1410 404f5d-404f9b GetLocalTime call 41a6e9 call 4052dd call 402073 call 41a04a call 401fb8 1407->1410 1408->1409 1409->1406 1410->1409
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00404F61
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00005130,?,00000000,00000000), ref: 00404FC0
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F74
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$EventLocalThreadTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 2532271599-1507639952
                                  • Opcode ID: 54bc9e5a10ebd48983f2d396a183439e17b9bf9f9fce820a56f2a71b63ed3014
                                  • Instruction ID: 81ef762065af47e4dab8e296ef88b7c3b87c262db6361300a2954e924f939db2
                                  • Opcode Fuzzy Hash: 54bc9e5a10ebd48983f2d396a183439e17b9bf9f9fce820a56f2a71b63ed3014
                                  • Instruction Fuzzy Hash: D711E3719043816AC720AB769C0DE9BBFB89BD6710F04016FF44562282DAB89485CBBA
                                  Function 00432142 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431DCA,00000034,?,?,00FB6AB8), ref: 00432154
                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431E5D,00000000,?,00000000), ref: 0043216A
                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431E5D,00000000,?,00000000,0041CB5C), ref: 0043217C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Context$AcquireRandomRelease
                                  • String ID:
                                  • API String ID: 1815803762-0
                                  • Opcode ID: 87b52fe04148b378890c993190cc93a161ae8e284d280082790b9f2e946aa0e2
                                  • Instruction ID: adb372f61302f159ea37c7bd5427d8c721a4b5411f3f4e54cdc0eebfb1d2689f
                                  • Opcode Fuzzy Hash: 87b52fe04148b378890c993190cc93a161ae8e284d280082790b9f2e946aa0e2
                                  • Instruction Fuzzy Hash: 98E0923130C310BBFF310F25BE08F173A94EB89B75F21063AF211E40E4D6918801961C
                                  Function 0041A168 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetComputerNameExW.KERNELBASE(00000001,?,00000037,00473298), ref: 0041A185
                                  • GetUserNameW.ADVAPI32(?,00000010), ref: 0041A19D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$ComputerUser
                                  • String ID:
                                  • API String ID: 4229901323-0
                                  • Opcode ID: 3a05fdecc79f179d19d77a8588840d9a6b4a7c8c0663e3407321dda6286171b8
                                  • Instruction ID: ca40992a929d7f440b27bf36de23ad6c7f00c11e63c364431abc424016e70018
                                  • Opcode Fuzzy Hash: 3a05fdecc79f179d19d77a8588840d9a6b4a7c8c0663e3407321dda6286171b8
                                  • Instruction Fuzzy Hash: 1F01FF7290011DABCB04EBD5DC45ADEB7BCEF44319F10016AB505B61D1EEB86A89CB98
                                  Function 004255BC Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: 4a5bcecb3f40c54b5b167585e102f21ee889ffcc3164b5e38b4e4b437a608611
                                  • Instruction ID: 746b65c02e61119df28bf9f7234443caa874ec4429a0c44ab9f61596d4479e10
                                  • Opcode Fuzzy Hash: 4a5bcecb3f40c54b5b167585e102f21ee889ffcc3164b5e38b4e4b437a608611
                                  • Instruction Fuzzy Hash: 96B092B9108202FFCA160B60DD0887A7EAAABC8381F008A2CF186411B1C636C451AB26
                                  Function 0040DEC9 Relevance: 84.8, APIs: 17, Strings: 31, Instructions: 804COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 7 40dec9-40df4b call 41b4c9 GetModuleFileNameW call 40e8e0 call 4020d6 * 2 call 41a976 call 40f05a call 401e6d call 43e5d0 24 40df97-40e05f call 401e45 call 401f8b call 401e45 call 4052fe call 408832 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->24 25 40df4d-40df92 call 40f0f6 call 401e45 call 401f8b call 41047a call 40f0a7 call 40e8cd 7->25 71 40e061-40e0ac call 406292 call 401fc2 call 401fb8 call 401f8b call 412831 24->71 72 40e0b2-40e0cd call 401e45 call 40af37 24->72 50 40e423-40e434 call 401fb8 25->50 71->72 105 40e86c-40e887 call 401f8b call 412c91 call 4119b8 71->105 81 40e141-40e148 call 40c577 72->81 82 40e0cf-40e0f0 call 401e45 call 401f8b OpenMutexA 72->82 91 40e151-40e158 81->91 92 40e14a-40e14c 81->92 99 40e0f2-40e0ff WaitForSingleObject CloseHandle 82->99 100 40e105-40e126 call 401f8b call 412831 82->100 96 40e15a 91->96 97 40e15c-40e168 call 419e1e 91->97 95 40e422 92->95 95->50 96->97 107 40e171-40e175 97->107 108 40e16a-40e16c 97->108 99->100 122 40e128-40e13b call 401f8b call 412c91 100->122 123 40e13c 100->123 129 40e88c-40e8bd call 41a7b9 call 401ee4 call 412d0b call 401ee9 * 2 105->129 110 40e1b4-40e1c7 call 401e45 call 401f8b 107->110 111 40e177 call 406d8a 107->111 108->107 135 40e1c9 call 406dc9 110->135 136 40e1ce-40e249 call 401e45 call 401f8b call 4086cb call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 110->136 121 40e17c-40e17e 111->121 126 40e180-40e185 call 406dac call 4068d4 121->126 127 40e18a-40e19d call 401e45 call 401f8b 121->127 122->123 123->81 126->127 127->110 151 40e19f-40e1a5 127->151 166 40e8c2-40e8cc call 40d246 call 414271 129->166 135->136 184 40e2b1-40e2b5 136->184 185 40e24b-40e264 call 401e45 call 401f8b call 43a3d6 136->185 151->110 154 40e1a7-40e1ad 151->154 154->110 157 40e1af call 4068d4 154->157 157->110 186 40e437-40e497 call 435760 call 40245c call 401f8b * 2 call 4129e0 call 4086cb 184->186 187 40e2bb-40e2c2 184->187 185->184 210 40e266-40e2ac call 401e45 call 401f8b call 401e45 call 401f8b call 40cf38 call 401ef3 call 401ee9 185->210 241 40e49c-40e4f0 call 401e45 call 401f8b call 402073 call 401f8b call 412a57 call 401e45 call 401f8b call 43a3ac 186->241 190 40e340-40e34a call 4086cb 187->190 191 40e2c4-40e33e call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40c307 187->191 200 40e34f-40e373 call 40245c call 4330a3 190->200 191->200 218 40e382 200->218 219 40e375-40e380 call 435760 200->219 210->184 224 40e384-40e3cf call 401ee4 call 43e0d9 call 40245c call 401f8b call 40245c call 401f8b call 412c2f 218->224 219->224 279 40e3d4-40e3f9 call 4330ac call 401e45 call 40af37 224->279 293 40e4f2 241->293 294 40e50d-40e50f 241->294 279->241 295 40e3ff-40e41e call 401e45 call 41a7b9 call 40e991 279->295 296 40e4f4-40e50b call 41b6a6 CreateThread 293->296 297 40e511-40e513 294->297 298 40e515 294->298 295->241 313 40e420 295->313 301 40e51b-40e5e3 call 402073 * 2 call 41a04a call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac call 401e45 call 401f8b call 401e45 call 401f8b call 40949a call 401e45 call 401f8b 296->301 297->296 298->301 347 40e5e5-40e61c call 432df5 call 401e45 call 401f8b CreateThread 301->347 348 40e61e 301->348 313->95 350 40e620-40e638 call 401e45 call 401f8b 347->350 348->350 359 40e676-40e689 call 401e45 call 401f8b 350->359 360 40e63a-40e671 call 432df5 call 401e45 call 401f8b CreateThread 350->360 371 40e6e9-40e6fc call 401e45 call 401f8b 359->371 372 40e68b-40e6e4 call 401e45 call 401f8b call 401e45 call 401f8b call 40ceec call 401ef3 call 401ee9 CreateThread 359->372 360->359 382 40e737-40e75b call 41a168 call 401ef3 call 401ee9 371->382 383 40e6fe-40e732 call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac call 40b6dc 371->383 372->371 403 40e760-40e773 CreateThread 382->403 404 40e75d-40e75e SetProcessDEPPolicy 382->404 383->382 407 40e781-40e788 403->407 408 40e775-40e77f CreateThread 403->408 404->403 411 40e796-40e79d 407->411 412 40e78a-40e794 CreateThread 407->412 408->407 415 40e7ab 411->415 416 40e79f-40e7a2 411->416 412->411 421 40e7b0-40e7e4 call 402073 call 4052dd call 402073 call 41a04a call 401fb8 415->421 418 40e7a4-40e7a9 416->418 419 40e7e9-40e7fc call 401f8b call 4127e7 416->419 418->421 429 40e801-40e804 419->429 421->419 429->166 431 40e80a-40e84a call 41a7b9 call 401ee4 call 412903 call 401ee9 call 401ee4 429->431 446 40e863-40e868 DeleteFileW 431->446 447 40e86a 446->447 448 40e84c-40e84f 446->448 447->129 448->129 449 40e851-40e85e Sleep call 401ee4 448->449 449->446
                                  APIs
                                    • Part of subcall function 0041B4C9: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4DE
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B4E7
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4FE
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B501
                                    • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B513
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B516
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B52C
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B52F
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040DEE5), ref: 0041B540
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B543
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040DEE5), ref: 0041B558
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B55B
                                    • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040DEE5), ref: 0041B56C
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B56F
                                    • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040DEE5), ref: 0041B57B
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B57E
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040DEE5), ref: 0041B590
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B593
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040DEE5), ref: 0041B5A0
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5A3
                                    • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040DEE5), ref: 0041B5B4
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5B7
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040DEE5), ref: 0041B5C4
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5C7
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040DEE5), ref: 0041B5D9
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5DC
                                    • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040DEE5), ref: 0041B5E9
                                    • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5EC
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040DEF2
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040E0E6
                                    • Part of subcall function 0041047A: __EH_prolog.LIBCMT ref: 0041047F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologMutexNameOpen
                                  • String ID: 2G$ 2G$ 2G$ 2G$ 2G$82G$82G$82G$82G$82G$82G$82G$82G$@-G$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$P2G$Remcos Agent initialized$Software\$User$del$del$exepath$h2G$h2G$licence$license_code.txt$p3G
                                  • API String ID: 1897280938-3624135051
                                  • Opcode ID: d8d878ccbbb5828f153489ab440400d221cbb08d95dff6daa7b4a5f7f3b4c95c
                                  • Instruction ID: 9e1fa40da8247c9b585ea9a59a3a54fb039144435d37588c5c456d259acc364f
                                  • Opcode Fuzzy Hash: d8d878ccbbb5828f153489ab440400d221cbb08d95dff6daa7b4a5f7f3b4c95c
                                  • Instruction Fuzzy Hash: 3532E670B0434167DA14BB729C57B6E26998F81708F04487FB946BB2E3EE7C8D45839E
                                  Function 00414271 Relevance: 44.6, APIs: 5, Strings: 20, Instructions: 805sleepnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 451 414271-4142b9 call 4020bf call 41a40e call 4020bf call 401e45 call 401f8b call 43a3ac 464 4142c8-414314 call 402073 call 401e45 call 4020d6 call 41a976 call 40487e call 401e45 call 40af37 451->464 465 4142bb-4142c2 Sleep 451->465 480 414316-414385 call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 40471d 464->480 481 414388-414423 call 402073 call 401e45 call 4020d6 call 41a976 call 401e45 * 2 call 406292 call 402ef0 call 401fc2 call 401fb8 * 2 call 401e45 call 405ae5 464->481 465->464 480->481 534 414433-41443a 481->534 535 414425-414431 481->535 536 41443f-4144d1 call 405a86 call 4052fe call 408832 call 402ef0 call 402073 call 41a04a call 401fb8 * 2 call 401e45 call 401f8b call 401e45 call 401f8b call 414230 534->536 535->536 563 4144d3-414517 WSAGetLastError call 41b45a call 4052dd call 402073 call 41a04a call 401fb8 536->563 564 41451c-41452a call 40480d 536->564 587 414dd5-414de7 call 404e06 call 4021da 563->587 569 414557-414565 call 404f31 call 4048a8 564->569 570 41452c-414552 call 402073 * 2 call 41a04a 564->570 583 41456a-41456c 569->583 570->587 586 414572-4146c5 call 401e45 * 2 call 4052fe call 408832 call 402ef0 call 408832 call 402ef0 call 402073 call 41a04a call 401fb8 * 4 call 41a33b call 413904 call 4086d0 call 440751 call 401e45 call 4020d6 call 40245c call 401f8b * 2 call 4129e0 583->586 583->587 651 4146c7-4146d4 call 405a86 586->651 652 4146d9-414700 call 401f8b call 41288e 586->652 600 414de9-414e09 call 401e45 call 401f8b call 43a3ac Sleep 587->600 601 414e0f-414e17 call 401e6d 587->601 600->601 601->481 651->652 658 414702-414704 652->658 659 414707-414d48 call 40415e call 40d28d call 41a79d call 41a879 call 41a6e9 call 401e45 GetTickCount call 41a6e9 call 41a641 call 41a6e9 call 41a5f1 call 41a879 * 5 call 40ee14 call 41a879 call 402f11 call 402e81 call 402ef0 call 402e81 call 402ef0 * 3 call 402e81 call 402ef0 call 408832 call 402ef0 call 408832 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408853 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408832 call 402ef0 * 5 call 402e81 call 402ef0 call 402e81 call 402ef0 * 7 call 402e81 call 404a81 call 401fb8 * 50 call 401ee9 call 401fb8 * 5 call 401ee9 call 404bf0 652->659 658->659 901 414d4a-414d51 659->901 902 414d5c-414d63 659->902 901->902 903 414d53-414d55 901->903 904 414d65-414d6a call 40a5c4 902->904 905 414d6f-414da1 call 405a4b call 402073 * 2 call 41a04a 902->905 903->902 904->905 916 414da3-414daf CreateThread 905->916 917 414db5-414dd0 call 401fb8 * 2 call 401ee9 905->917 916->917 917->587
                                  APIs
                                  • Sleep.KERNEL32(00000000,00000029,00473238,00473298,00000000), ref: 004142C2
                                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 004144D3
                                  • Sleep.KERNELBASE(00000000,00000002), ref: 00414E09
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$ErrorLastLocalTime
                                  • String ID: 2G$ | $%I64u$4.6.0 Pro$82G$@-G$@0G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name$4G$4G$4G
                                  • API String ID: 524882891-545394116
                                  • Opcode ID: 4c203997996720f9fb36aa82831c41203fd54e96ec41f930e9c494708977f271
                                  • Instruction ID: ab0e32b11b9d89d3eba901e54de1f942eff96493c18d1503d8c82c51ace3a389
                                  • Opcode Fuzzy Hash: 4c203997996720f9fb36aa82831c41203fd54e96ec41f930e9c494708977f271
                                  • Instruction Fuzzy Hash: 52529D31A001155BCB18F761DD96AEEB3699F90308F1041BFF40A761E2EF785F868A9D
                                  Function 0040A249 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 156sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040A2AB
                                  • Sleep.KERNELBASE(000001F4), ref: 0040A2B6
                                  • GetForegroundWindow.USER32 ref: 0040A2BC
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040A2C5
                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A2F9
                                  • Sleep.KERNEL32(000003E8), ref: 0040A3C7
                                    • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                  • String ID: [${ User has been idle for $ minutes }$4LG$4LG$4LG$]
                                  • API String ID: 911427763-2724478313
                                  • Opcode ID: d973ddfcace0162dab240c32536654bb2391a87bf6db9de2cf5435de0ebec842
                                  • Instruction ID: e6d26ec29f6efd9614cca4dfe6135636dd5a7624a68a80ed8f9da63f1efc7c64
                                  • Opcode Fuzzy Hash: d973ddfcace0162dab240c32536654bb2391a87bf6db9de2cf5435de0ebec842
                                  • Instruction Fuzzy Hash: 3351C3316083405BC314FB71D886A6F77A5AB94308F40097FF886A62E2DF7C9A55C69F
                                  Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1004 4048a8-4048c8 connect 1005 4049fb-4049ff 1004->1005 1006 4048ce-4048d1 1004->1006 1009 404a01-404a0f WSAGetLastError 1005->1009 1010 404a77 1005->1010 1007 4049f7-4049f9 1006->1007 1008 4048d7-4048da 1006->1008 1011 404a79-404a7e 1007->1011 1012 404906-404910 call 41f56b 1008->1012 1013 4048dc-404903 call 4052fe call 402073 call 41a04a 1008->1013 1009->1010 1014 404a11-404a14 1009->1014 1010->1011 1023 404921-40492e call 41f79a 1012->1023 1024 404912-40491c 1012->1024 1013->1012 1017 404a51-404a56 1014->1017 1018 404a16-404a4f call 41b45a call 4052dd call 402073 call 41a04a call 401fb8 1014->1018 1020 404a5b-404a74 call 402073 * 2 call 41a04a 1017->1020 1018->1010 1020->1010 1037 404930-404953 call 402073 * 2 call 41a04a 1023->1037 1038 404967-404972 call 42034b 1023->1038 1024->1020 1067 404956-404962 call 41f5ab 1037->1067 1050 4049a4-4049b1 call 41f711 1038->1050 1051 404974-4049a2 call 402073 * 2 call 41a04a call 41f9bd 1038->1051 1063 4049b3-4049d6 call 402073 * 2 call 41a04a 1050->1063 1064 4049d9-4049f4 CreateEventW * 2 1050->1064 1051->1067 1063->1064 1064->1007 1067->1010
                                  APIs
                                  • connect.WS2_32(?,?,?), ref: 004048C0
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                                  • WSAGetLastError.WS2_32 ref: 00404A01
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                  • API String ID: 994465650-2151626615
                                  • Opcode ID: a3a9e611a9eea382d12017b55ae216bda3f6cd939b8bd63420a6bf8d1996337b
                                  • Instruction ID: 4dac077a67aca900205559ee8606d27a3048533bf49cbaad300c4d8012786ffc
                                  • Opcode Fuzzy Hash: a3a9e611a9eea382d12017b55ae216bda3f6cd939b8bd63420a6bf8d1996337b
                                  • Instruction Fuzzy Hash: 5641C5B1F4020177D6047B7A890B96E7A25AB81304B50017FF901226D3EE7DA96587EF
                                  Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00472EE0,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E18
                                  • SetEvent.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E23
                                  • CloseHandle.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E2C
                                  • closesocket.WS2_32(?), ref: 00404E3A
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E71
                                  • SetEvent.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E82
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E89
                                  • SetEvent.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E9A
                                  • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E9F
                                  • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404EA4
                                  • SetEvent.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404EB1
                                  • CloseHandle.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404EB6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEvent$ObjectSingleWait$ChangeFindHandleNotification$closesocket
                                  • String ID:
                                  • API String ID: 4074944092-0
                                  • Opcode ID: a2ca426a8ef2e4f608ce268c0268c1b17c9aae0f7f500dc5094b97f115eed4e6
                                  • Instruction ID: 36cdbf8d69702b382ce25e6a3e5e0fa9723ae9905729ab2d5c1a42a88e4aa4cf
                                  • Opcode Fuzzy Hash: a2ca426a8ef2e4f608ce268c0268c1b17c9aae0f7f500dc5094b97f115eed4e6
                                  • Instruction Fuzzy Hash: D6211A71044B00AFD7216B26DC49A1BBBA6FF40326F104A3DE1A611AF1CB75A851DB98
                                  Function 0040CF38 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1096 40cf38-40cf5d call 401f66 1099 40cf63 1096->1099 1100 40d087-40d0ad call 401ee4 GetLongPathNameW call 40415e 1096->1100 1101 40d072 1099->1101 1102 40d063-40d068 call 43a99f 1099->1102 1103 40cf74-40cf82 call 41a10f call 401ef3 1099->1103 1104 40cf95-40cf9a 1099->1104 1105 40d055-40d05a 1099->1105 1106 40cfa9-40cfb0 call 41ab12 1099->1106 1107 40cf6a-40cf6f 1099->1107 1108 40d05c-40d061 1099->1108 1109 40cf9f-40cfa4 1099->1109 1126 40d0b2-40d11f call 40415e call 40d2d5 call 402f85 * 2 call 401ee9 * 5 1100->1126 1111 40d077-40d07c call 43a99f 1101->1111 1116 40d06d-40d070 1102->1116 1129 40cf87 1103->1129 1104->1111 1105->1111 1121 40cfb2-40d002 call 40415e call 43a99f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1106->1121 1122 40d004-40d050 call 40415e call 43a99f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1106->1122 1107->1111 1108->1111 1109->1111 1123 40d07d-40d082 call 4086cb 1111->1123 1116->1101 1116->1123 1134 40cf8b-40cf90 call 401ee9 1121->1134 1122->1129 1123->1100 1129->1134 1134->1100
                                  APIs
                                  • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040D09E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 82841172-425784914
                                  • Opcode ID: f9081cf8b8e9c6096ce8b59407edeced367fa11585138a10e08e52121d94a601
                                  • Instruction ID: 6b614a152261b5ac042ce2f1e9ed8ca0f13a8186c1863ac34b2aa9a3c23cc976
                                  • Opcode Fuzzy Hash: f9081cf8b8e9c6096ce8b59407edeced367fa11585138a10e08e52121d94a601
                                  • Instruction Fuzzy Hash: A24155715082009AC204F761D852DAFB3E8AE9075CF10053FF586760E2EE789A4AC65F
                                  Function 00419E1E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1242 419e1e-419e75 call 41ab12 call 41288e call 401fc2 call 401fb8 call 406155 1253 419e77-419e86 call 41288e 1242->1253 1254 419eb8-419ec1 1242->1254 1259 419e8b-419ea2 call 401f8b StrToIntA 1253->1259 1255 419ec3-419ec8 1254->1255 1256 419eca 1254->1256 1258 419ecf-419eda call 40535d 1255->1258 1256->1258 1264 419eb0-419eb3 call 401fb8 1259->1264 1265 419ea4-419ead call 41b874 1259->1265 1264->1254 1265->1264
                                  APIs
                                    • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                                    • Part of subcall function 0041288E: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                                    • Part of subcall function 0041288E: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                                    • Part of subcall function 0041288E: RegCloseKey.KERNELBASE(?), ref: 004128DA
                                  • StrToIntA.SHLWAPI(00000000,0046A9AC,00000000,00000000,00000000,00473298,00000003,Exe,00000000,0000000E,00000000,0046408C,00000003,00000000), ref: 00419E97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCurrentOpenProcessQueryValue
                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$P9G$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 1866151309-2787534724
                                  • Opcode ID: 84b1c4753be20ea6fcc25a739c086d543e31789d1c034ba7582dc327abde189c
                                  • Instruction ID: 2d8a69e0546d05ecafa38ff55f4d44f4812dfb7c18b39c611b81bdfdf30cbcec
                                  • Opcode Fuzzy Hash: 84b1c4753be20ea6fcc25a739c086d543e31789d1c034ba7582dc327abde189c
                                  • Instruction Fuzzy Hash: C311E370A4020116C704B3659C5BEEF7A1D8790305F64053FF906B61D2EB7C1C9686AF
                                  Function 00409C99 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • Sleep.KERNELBASE(00001388), ref: 00409CB3
                                    • Part of subcall function 00409BE8: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409CC0), ref: 00409C1E
                                    • Part of subcall function 00409BE8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409CC0), ref: 00409C2D
                                    • Part of subcall function 00409BE8: Sleep.KERNEL32(00002710,?,?,?,00409CC0), ref: 00409C5A
                                    • Part of subcall function 00409BE8: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00409CC0), ref: 00409C61
                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00409CEF
                                  • GetFileAttributesW.KERNELBASE(00000000), ref: 00409D00
                                  • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 00409D17
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409D91
                                    • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0046A8F0,?,00000000,00000000,00000000,00000000,00000000), ref: 00409E9A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                  • String ID:
                                  • API String ID: 110482706-0
                                  • Opcode ID: bb570702a125609b5b5db2e1b1ec6f43af5979226d6ae3e9d49bc7aa2ab35990
                                  • Instruction ID: a26b43d943647d041280ad137afe2d2b6888429955654135db8bde193f98b3d7
                                  • Opcode Fuzzy Hash: bb570702a125609b5b5db2e1b1ec6f43af5979226d6ae3e9d49bc7aa2ab35990
                                  • Instruction Fuzzy Hash: 35514D312043015BC714BB72D8A6ABF779A9F80308F04453FB946B72E3DE7D9D05869A
                                  Function 0041AD6A Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1367 41ad6a-41ad7b 1368 41ad93-41ad9a 1367->1368 1369 41ad7d-41ad80 1367->1369 1372 41ad9b-41adb4 CreateFileW 1368->1372 1370 41ad82-41ad87 1369->1370 1371 41ad89-41ad91 1369->1371 1370->1372 1371->1372 1373 41adb6-41adb8 1372->1373 1374 41adba-41adbf 1372->1374 1375 41adf8-41adfd 1373->1375 1376 41adc1-41adcf SetFilePointer 1374->1376 1377 41adda-41adeb WriteFile 1374->1377 1376->1377 1378 41add1-41add8 CloseHandle 1376->1378 1379 41aded 1377->1379 1380 41adef-41adf6 FindCloseChangeNotification 1377->1380 1378->1373 1379->1380 1380->1375
                                  APIs
                                  • CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041AE89,00000000,00000000,?), ref: 0041ADA9
                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,00409E5A,?,00000000,00000000), ref: 0041ADC6
                                  • CloseHandle.KERNEL32(00000000,?,00409E5A,?,00000000,00000000), ref: 0041ADD2
                                  • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00409E5A,?,00000000,00000000), ref: 0041ADE3
                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,00409E5A,?,00000000,00000000), ref: 0041ADF0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                  • String ID:
                                  • API String ID: 1087594267-0
                                  • Opcode ID: bf69a830dd746d7c6ae827066bb4a5dedd865cc1e8c81bdcf7b86caaf748b986
                                  • Instruction ID: 53714e6fa216203b7318fdbd75d04b9937c0d47cb555b8ec8e0bf6eb367397e8
                                  • Opcode Fuzzy Hash: bf69a830dd746d7c6ae827066bb4a5dedd865cc1e8c81bdcf7b86caaf748b986
                                  • Instruction Fuzzy Hash: CE110871206A117FE6104A24BC88EFB779EEB42367F10463AF552C26D0C634CC86563F
                                  Function 0040977E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,00409880,?,00000000,00000000), ref: 00409806
                                  • CreateThread.KERNELBASE(00000000,00000000,0040986A,?,00000000,00000000), ref: 00409816
                                  • CreateThread.KERNELBASE(00000000,00000000,0040988C,?,00000000,00000000), ref: 00409822
                                    • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                                    • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTimewsprintf
                                  • String ID: Offline Keylogger Started
                                  • API String ID: 465354869-4114347211
                                  • Opcode ID: 85d050e59618c14ffd730f4f9c1802c0224b17be9da0037921fadffb01e29b9a
                                  • Instruction ID: de04d47bbc5f4bbdcfa168c24a1029e81d3d9c9d0fe0406f7b4d0e9c742a0715
                                  • Opcode Fuzzy Hash: 85d050e59618c14ffd730f4f9c1802c0224b17be9da0037921fadffb01e29b9a
                                  • Instruction Fuzzy Hash: CC1198A25003087AD214BB769C86DBB7A5CDA82398B40457FF845222C3DA785E19C6FE
                                  Function 00412A57 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1420 412a57-412a6e RegCreateKeyA 1421 412a70-412aa5 call 40245c call 401f8b RegSetValueExA RegCloseKey 1420->1421 1422 412aa7 1420->1422 1424 412aa9-412ab7 call 401fb8 1421->1424 1422->1424
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412A66
                                  • RegSetValueExA.KERNELBASE(?,00465480,00000000,?,00000000,00000000,00473238,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A8E
                                  • RegCloseKey.KERNELBASE(?,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A99
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: pth_unenc
                                  • API String ID: 1818849710-4028850238
                                  • Opcode ID: 94021dc1c1d03cfd80497e16010bebe54771d725e16ad2690a32dfc7f40571c1
                                  • Instruction ID: 065d1f4c68480eb08966ef6070b87cad1f8bbd79d217faba3f808efe567dd641
                                  • Opcode Fuzzy Hash: 94021dc1c1d03cfd80497e16010bebe54771d725e16ad2690a32dfc7f40571c1
                                  • Instruction Fuzzy Hash: 99F0F632140208BFCB00AFA0ED45DEE376CEF04750F104276BD09A61A2D7359E10DB94
                                  Function 00412B5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,t@F), ref: 00412B6D
                                  • RegSetValueExA.KERNELBASE(t@F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B88
                                  • RegCloseKey.KERNELBASE(?,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: t@F
                                  • API String ID: 1818849710-3279925822
                                  • Opcode ID: 61de9578f52ee8f0e092330830a64b9a8e5eb202a0654fe1bc12343b251ebfa2
                                  • Instruction ID: f68fcc0987728696b45baa029fbd8ba208f586d8d4f13f853052a764fd9765f2
                                  • Opcode Fuzzy Hash: 61de9578f52ee8f0e092330830a64b9a8e5eb202a0654fe1bc12343b251ebfa2
                                  • Instruction Fuzzy Hash: 13E06D72544308FFDF109FA0ED05FEA7BACEB04BA1F1040A5BF09E6191D2759E14A7A8
                                  Function 00409BE8 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409CC0), ref: 00409C1E
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409CC0), ref: 00409C2D
                                  • Sleep.KERNEL32(00002710,?,?,?,00409CC0), ref: 00409C5A
                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00409CC0), ref: 00409C61
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                  • String ID:
                                  • API String ID: 4068920109-0
                                  • Opcode ID: ef05f1643fa27d05428d6094122ea9931c5eea0e56f1a959d776b1178b71fea0
                                  • Instruction ID: 776417b5dd6b277b78666ee6a0049f3b3f0777a2ef627118506dbb8d74d8395d
                                  • Opcode Fuzzy Hash: ef05f1643fa27d05428d6094122ea9931c5eea0e56f1a959d776b1178b71fea0
                                  • Instruction Fuzzy Hash: 2C11EB306487C07AF721AB34A8C9A2F3ADEA745705F04447FF187661D3C6799D84831D
                                  Function 0040949A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 004094B4
                                    • Part of subcall function 0040977E: CreateThread.KERNELBASE(00000000,00000000,00409880,?,00000000,00000000), ref: 00409806
                                    • Part of subcall function 0040977E: CreateThread.KERNELBASE(00000000,00000000,0040986A,?,00000000,00000000), ref: 00409816
                                    • Part of subcall function 0040977E: CreateThread.KERNELBASE(00000000,00000000,0040988C,?,00000000,00000000), ref: 00409822
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$_wcslen
                                  • String ID: @0G$@0G
                                  • API String ID: 1119755333-1610251930
                                  • Opcode ID: 3e2700912a8126a4a54e2fc3c854721449d91b495db0ab681c51eacd73c18f92
                                  • Instruction ID: 8240ad2e3e1aaba782ca1c27cc07c235db1714dcc0b5eaf1d0f18af9b8f17ace
                                  • Opcode Fuzzy Hash: 3e2700912a8126a4a54e2fc3c854721449d91b495db0ab681c51eacd73c18f92
                                  • Instruction Fuzzy Hash: 81216171914149AACB05FFA6EC528EE7B78AE11304F00403FF805721E7DE385A59D7DA
                                  Function 0040C577 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040E146,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046408C,00000003,00000000), ref: 0040C586
                                  • GetLastError.KERNEL32 ref: 0040C591
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastMutex
                                  • String ID: h2G
                                  • API String ID: 1925916568-3159213000
                                  • Opcode ID: 4bc70ddb443fc9c159d84246c0f6c07cfd46d333705cf816a3e212b6fca9faca
                                  • Instruction ID: e6373a13d656ff6d6707b7a2cb114a9c32d4b8c21df5bc8e6e0dabda27f4a646
                                  • Opcode Fuzzy Hash: 4bc70ddb443fc9c159d84246c0f6c07cfd46d333705cf816a3e212b6fca9faca
                                  • Instruction Fuzzy Hash: 1CD01270709301DBD7141B74AC5976C35609B44703F0044B9F50BD55D1DB788480951A
                                  Function 0041288E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                                  • RegCloseKey.KERNELBASE(?), ref: 004128DA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 046fa9cafb6435db0e72aae511f04d8dcc1f9af16eddc047814711fa63e59b6b
                                  • Instruction ID: fa08edaff8def4b33d2b8c01463c49d1e7a9fcd5e8e464c1f7b2d0f15f6578c3
                                  • Opcode Fuzzy Hash: 046fa9cafb6435db0e72aae511f04d8dcc1f9af16eddc047814711fa63e59b6b
                                  • Instruction Fuzzy Hash: 0701DB76A00228BBDB205B95DD08DDF7FBDEB44751F004166BF04E2140D6748E55D7A4
                                  Function 00412831 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                                  • RegCloseKey.ADVAPI32(?), ref: 0041287A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 512b3eed686be6b2a2b717d5ef0a3d80ed66878d695c99a4db23412f4a9e56d0
                                  • Instruction ID: 69e43ff86f888a52894dd2156315322568ee34e4473ddb17d5254d30eae93871
                                  • Opcode Fuzzy Hash: 512b3eed686be6b2a2b717d5ef0a3d80ed66878d695c99a4db23412f4a9e56d0
                                  • Instruction Fuzzy Hash: 38F06D7294020CBFDF109FA0AD05FEEBBBCEB04B11F1041A1FA04E6191D2748A549B94
                                  Function 004127E7 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B716,00464C08), ref: 004127FE
                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B716,00464C08), ref: 00412812
                                  • RegCloseKey.KERNELBASE(?,?,?,0040B716,00464C08), ref: 0041281D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: e324eca442c7ad9a6d0e8b8ac30f941762bccad947d2c0f2533ecc126fcf5853
                                  • Instruction ID: 84763f97e707706bd7246b5a08c576b286280a2d5f648d27a36c848fc85b91b7
                                  • Opcode Fuzzy Hash: e324eca442c7ad9a6d0e8b8ac30f941762bccad947d2c0f2533ecc126fcf5853
                                  • Instruction Fuzzy Hash: 9CE06531905338BB9B205BA2AD0DDEB7FACDF06BA1B010165BD09A1151D2658E50E6E4
                                  Function 00444A86 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00444AA7
                                    • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,0043180D,00000000,0000000F,0042E217,?,?,004302BE,?,?,00000000), ref: 00444AE3
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap$_free
                                  • String ID:
                                  • API String ID: 1482568997-0
                                  • Opcode ID: 36f31b41252dabdd3ccd32d7c95e91fca07e2e5538f8792d367621ddf272ea40
                                  • Instruction ID: 455c427813147b6f3d2efebb8123bf363e795c38cc092496033f2fe0a3bdb231
                                  • Opcode Fuzzy Hash: 36f31b41252dabdd3ccd32d7c95e91fca07e2e5538f8792d367621ddf272ea40
                                  • Instruction Fuzzy Hash: 76F0F632281215AAFB216A66AC01F6B379D9FC1B74F24412FF914B62D1DF2CCC0041AD
                                  Function 0040480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(?,00000001,00000006), ref: 00404832
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052EB,?,?,00000000,00000000,?,Offline Keylogger Started,00000000,004051E8,?,00000000), ref: 0040486E
                                    • Part of subcall function 0040487E: WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEventStartupsocket
                                  • String ID:
                                  • API String ID: 1953588214-0
                                  • Opcode ID: ffe2297606e416d6c3b5ccad3e5f88dc31d939aa0b0f85ed0b7fe91bade190d6
                                  • Instruction ID: 59a91cd762d8530cb4f753689cd2647fba7b16dd7f4d7e7b9f20fabe365cb730
                                  • Opcode Fuzzy Hash: ffe2297606e416d6c3b5ccad3e5f88dc31d939aa0b0f85ed0b7fe91bade190d6
                                  • Instruction Fuzzy Hash: 200171B14087809FD7359F39B845697BFE0AB15304F048D6EF1DA97B91D3B1A481CB58
                                  Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: caff369a3e44734e3409fc0f357ce8361766cfd02b4466f25ae0342934686fc9
                                  • Instruction ID: bcf894cbe7f558628445d92d8d60389314e0f69a1dd629ba4e5ad944aee8928b
                                  • Opcode Fuzzy Hash: caff369a3e44734e3409fc0f357ce8361766cfd02b4466f25ae0342934686fc9
                                  • Instruction Fuzzy Hash: 73F027B02042016BCB1C9B34CD5062A37969B98356F248F3FF01BD61E0DB3ACC85C60D
                                  Function 0044E954 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004443F4: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446B4A,00000001,00000364,?,0043A5DA,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00444435
                                  • _free.LIBCMT ref: 0044E9C0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap_free
                                  • String ID:
                                  • API String ID: 614378929-0
                                  • Opcode ID: e8cc168a206cb2f203358c90cc341d876996d2f60e2126ea3eb12d9ded59db87
                                  • Instruction ID: b43b9af27dcddb4849891f15c6ca459ff88ab6a8378577c786593469fbe10df3
                                  • Opcode Fuzzy Hash: e8cc168a206cb2f203358c90cc341d876996d2f60e2126ea3eb12d9ded59db87
                                  • Instruction Fuzzy Hash: E201D6B22003456BF721CE6AD845D5AFBD9FB85374F25051EE584832C0EA34A906C678
                                  Function 004443F4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446B4A,00000001,00000364,?,0043A5DA,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00444435
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: fb9104f22dcedbe8120434fadbbdadfd72ec0fc3c5c24ebd2bf5bbd80fe2d0b8
                                  • Instruction ID: 9d40b9d846304a4da4b5929be8e6dfedca74db581f7d738e17eab2e9df3cce7a
                                  • Opcode Fuzzy Hash: fb9104f22dcedbe8120434fadbbdadfd72ec0fc3c5c24ebd2bf5bbd80fe2d0b8
                                  • Instruction Fuzzy Hash: 14F0E931605234A6FB211E629C06B5B7748AFC17B5F148027FC09A7690CA28DC0186ED
                                  Function 00444A38 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 9797f3068208b50acbf799f5f92ac938ca8f5a32afd615d80b0c57cacc916379
                                  • Instruction ID: fd7924e8b65afa23adb338f609f8de03ed02b176ca6f4a568383a370c07dd500
                                  • Opcode Fuzzy Hash: 9797f3068208b50acbf799f5f92ac938ca8f5a32afd615d80b0c57cacc916379
                                  • Instruction Fuzzy Hash: 69E0ED31581220AAF7307A669C05B6B3A8C9BD17B1F195027AC19B2AD4CB28CD0082ED
                                  Function 0040487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startup
                                  • String ID:
                                  • API String ID: 724789610-0
                                  • Opcode ID: 4b5b1acb0718588404019be5d9f15640a6bb1c21c3ccc0dc3f846b824dafbe4c
                                  • Instruction ID: e98c7a7dcee344fb28133bcb2ee241acd4b45dcbdfc1a3ef5d864df1fc63b674
                                  • Opcode Fuzzy Hash: 4b5b1acb0718588404019be5d9f15640a6bb1c21c3ccc0dc3f846b824dafbe4c
                                  • Instruction Fuzzy Hash: 7ED012325AD7088EE610AAB8AD0F8A47B5CC313A15F0003BA6CB9835D3F640571CC2AB
                                  Function 004255D3 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: a8d70cb1d05a31d846f06bfe6dacdd29f23318bb0f64ab28444019d680c4d177
                                  • Instruction ID: bfab3a08044aaf07d4c990dee58e7a6731fa9f306c9d2c0144e000b13adf200d
                                  • Opcode Fuzzy Hash: a8d70cb1d05a31d846f06bfe6dacdd29f23318bb0f64ab28444019d680c4d177
                                  • Instruction Fuzzy Hash: 56B092B9108302BFCA160B60DC0887A7EA6ABC8385B00882CF146411B0C636C460AB26

                                  Non-executed Functions

                                  Function 0040567A Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 278pipesleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004056C6
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • __Init_thread_footer.LIBCMT ref: 00405703
                                  • CreatePipe.KERNEL32(00474C0C,00474BF4,00474B18,00000000,0046408C,00000000), ref: 00405796
                                  • CreatePipe.KERNEL32(00474BF8,00474C14,00474B18,00000000), ref: 004057AC
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00474B28,00474BFC), ref: 0040581F
                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                                    • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00472F78,00464090,00000062,00464074), ref: 004059C4
                                  • Sleep.KERNEL32(00000064,00000062,00464074), ref: 004059DE
                                  • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                                  • CloseHandle.KERNEL32 ref: 00405A03
                                  • CloseHandle.KERNEL32 ref: 00405A0B
                                  • CloseHandle.KERNEL32 ref: 00405A1D
                                  • CloseHandle.KERNEL32 ref: 00405A25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                  • String ID: (KG$SystemDrive$cmd.exe$pKG$pKG$pKG$pKG$pKG$x/G$x/G$x/G
                                  • API String ID: 2994406822-2676871211
                                  • Opcode ID: 359f19f99f1bb917d8699d37fe260e1af0cac225651d7d71e0b6c481c20bafc1
                                  • Instruction ID: 3b714476e132253386e4612caa6ffda136c57d83f36fbb8ab3cb78f76cc16c3c
                                  • Opcode Fuzzy Hash: 359f19f99f1bb917d8699d37fe260e1af0cac225651d7d71e0b6c481c20bafc1
                                  • Instruction Fuzzy Hash: AD91C371644205EFC700BB65AD52E7F36A8EB84344F01453FF949A72E2DB789C848B6E
                                  Function 0041163A Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 00411649
                                    • Part of subcall function 00412B5F: RegCreateKeyA.ADVAPI32(80000001,00000000,t@F), ref: 00412B6D
                                    • Part of subcall function 00412B5F: RegSetValueExA.KERNELBASE(t@F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B88
                                    • Part of subcall function 00412B5F: RegCloseKey.KERNELBASE(?,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B93
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00411689
                                  • CloseHandle.KERNEL32(00000000), ref: 00411698
                                  • CreateThread.KERNEL32(00000000,00000000,00411D31,00000000,00000000,00000000), ref: 004116EE
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041195D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                  • String ID: 2G$82G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$p3G$rmclient.exe$svchost.exe
                                  • API String ID: 3018269243-814077726
                                  • Opcode ID: ecc1885243578fe0f0ec578ffa35dec06ecb1c53e096e26546fc0cf9205715fe
                                  • Instruction ID: 2a728e4d40dbe9f2dcab1c582d9c47d784adc50530ded27a5339f3dd002cc33c
                                  • Opcode Fuzzy Hash: ecc1885243578fe0f0ec578ffa35dec06ecb1c53e096e26546fc0cf9205715fe
                                  • Instruction Fuzzy Hash: 1A719E3160430157C204FB62DD9ADAE77A8AF90308F40093FF546621E2EE7C9A49C6AF
                                  Function 0040730B Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 0040732D
                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 004073FB
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040741D
                                    • Part of subcall function 0041AC0A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC65
                                    • Part of subcall function 0041AC0A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC95
                                    • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041ACEA
                                    • Part of subcall function 0041AC0A: FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD4B
                                    • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD52
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                    • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00472EE0,?), ref: 00404B27
                                    • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00472EE0,?,?,?,?,?,?,0040545D), ref: 00404B55
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0040780B
                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004078EC
                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00407B38
                                  • DeleteFileA.KERNEL32(?), ref: 00407CC6
                                    • Part of subcall function 00407E80: __EH_prolog.LIBCMT ref: 00407E85
                                    • Part of subcall function 00407E80: FindFirstFileW.KERNEL32(00000000,?,004645D0,00000000), ref: 00407F3E
                                    • Part of subcall function 00407E80: __CxxThrowException@8.LIBVCRUNTIME ref: 00407F66
                                    • Part of subcall function 00407E80: FindNextFileW.KERNEL32(00000000,?), ref: 00407F73
                                  • Sleep.KERNEL32(000007D0), ref: 00407D6C
                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00407DAE
                                    • Part of subcall function 0041B35B: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041B450
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                  • API String ID: 1067849700-1507758755
                                  • Opcode ID: ba048923ff41e4fe6bcc8e084b9756fc2643a8ca2942556ea939290c315f8dc6
                                  • Instruction ID: bd0fccd32b98e4baecd5a91fc22e0c60ebb53a858293cf8cc6cedc8d782afcc2
                                  • Opcode Fuzzy Hash: ba048923ff41e4fe6bcc8e084b9756fc2643a8ca2942556ea939290c315f8dc6
                                  • Instruction Fuzzy Hash: 8D42A671A083005BC604FB76C9579AF77A9AF90308F40093FF542771E2EE7D9A49869B
                                  Function 0040E991 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 223processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00473298,?,00473280), ref: 0040E9AB
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E9D6
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E9F2
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040EA71
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00473280), ref: 0040EA80
                                    • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00473280), ref: 0040EBA4
                                  • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00473280), ref: 0040EC90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                                  • String ID: 2G$82G$C:\Program Files(x86)\Internet Explorer\$Inj$h2G$ieinstal.exe$ielowutil.exe
                                  • API String ID: 193334293-656281143
                                  • Opcode ID: be3674cd8433d5f0af70927e21572f1822daaef1d48195387f0c0968333f5d7c
                                  • Instruction ID: c6ac6d909184663fdd7a24f9be041a716c06b948c98e485a3872bbbcebe7606d
                                  • Opcode Fuzzy Hash: be3674cd8433d5f0af70927e21572f1822daaef1d48195387f0c0968333f5d7c
                                  • Instruction Fuzzy Hash: F98141301093419BC754FB62D8919EEB7E4AFA0348F40483FF586631E2EF789949CB5A
                                  Function 0040B0AA Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B129
                                  • FindClose.KERNEL32(00000000), ref: 0040B143
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B266
                                  • FindClose.KERNEL32(00000000), ref: 0040B28C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 1164774033-3681987949
                                  • Opcode ID: 335022986dd8c36f10b668b91d4e36378c070b75ba866057ad9207b355db17a0
                                  • Instruction ID: 4dbca2b9aa89f5e628085f7deb87cc68ab42e838c00934cc31fa014136c7fd8a
                                  • Opcode Fuzzy Hash: 335022986dd8c36f10b668b91d4e36378c070b75ba866057ad9207b355db17a0
                                  • Instruction Fuzzy Hash: E2512C3191421A5ADB14FBA1EC5AEEEB768AF50304F5001BFF406720E2EF785A458A9D
                                  Function 00415802 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 83clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 00415803
                                  • EmptyClipboard.USER32 ref: 00415811
                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415831
                                  • GlobalLock.KERNEL32(00000000), ref: 0041583A
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00415870
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00415879
                                  • CloseClipboard.USER32 ref: 00415896
                                  • OpenClipboard.USER32 ref: 0041589D
                                  • GetClipboardData.USER32(0000000D), ref: 004158AD
                                  • GlobalLock.KERNEL32(00000000), ref: 004158B6
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004158BF
                                  • CloseClipboard.USER32 ref: 004158C5
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                  • String ID: 4G
                                  • API String ID: 3520204547-3080958808
                                  • Opcode ID: 98b15bc5e322abe99a0ccbef30a3c15a1b95ef066fac956880e5c4b39418939f
                                  • Instruction ID: f1afe3415f062d0b9b587beb2e8851fc1ee6a0bc4f4e9a56709fcddcee62baf9
                                  • Opcode Fuzzy Hash: 98b15bc5e322abe99a0ccbef30a3c15a1b95ef066fac956880e5c4b39418939f
                                  • Instruction Fuzzy Hash: EF2158715083005BC714BF71EC5AAAE76A9AF90756F00483EFD06962E3EF38C905C66A
                                  Function 0040B2B1 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B329
                                  • FindClose.KERNEL32(00000000), ref: 0040B343
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040B403
                                  • FindClose.KERNEL32(00000000), ref: 0040B429
                                  • FindClose.KERNEL32(00000000), ref: 0040B44A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$File$FirstNext
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 3527384056-432212279
                                  • Opcode ID: b965f2d972c6829f6845957a036da51bbf501c985f1d9d0416e3551cd2d86090
                                  • Instruction ID: 51cc95074229e97af50e91e82164566f02eb9ff2f5b37e3c54f7b0a52fa2c995
                                  • Opcode Fuzzy Hash: b965f2d972c6829f6845957a036da51bbf501c985f1d9d0416e3551cd2d86090
                                  • Instruction Fuzzy Hash: 4D416C3194420A6ACB14FBA5DC56DEEB768AE51304F50017FF405B21D2FF389A45CA9E
                                  Function 00418186 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 204COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$06G$1$2$3$4$5$6$7$6G
                                  • API String ID: 0-3439518097
                                  • Opcode ID: 24ac2fc32beb33ce48cafe5b80d71fdfa07178e887ebd5d7dc0c99c1ba21e080
                                  • Instruction ID: 33774567b1f725210584e6ae4599f2175015db0efea207338ba601142af93ff7
                                  • Opcode Fuzzy Hash: 24ac2fc32beb33ce48cafe5b80d71fdfa07178e887ebd5d7dc0c99c1ba21e080
                                  • Instruction Fuzzy Hash: 3461C4709183019FD304EF21D861FAB7BA49F94710F14881FF9A26B2D1DF399A49CB66
                                  Function 004131DA Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 485registrylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004132AF
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004132BB
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004135B1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004135B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                  • String ID: P4G$P4G$P4G$P4G$SHDeleteKeyW$Shlwapi.dll
                                  • API String ID: 2127411465-531188865
                                  • Opcode ID: 423755acb6dbd72e7e7bdb04900b36bd24af2bc15ac096c60802203e4e3520b3
                                  • Instruction ID: ee582708a1ecfa71abd053f628b5a3b7b6646190f40a2f0f90fdaba40559649c
                                  • Opcode Fuzzy Hash: 423755acb6dbd72e7e7bdb04900b36bd24af2bc15ac096c60802203e4e3520b3
                                  • Instruction Fuzzy Hash: 07E1FD72A0430067C614BB76DC579AE32A99F95718F40063FF906B71E2ED7D8B44829F
                                  Function 00406B71 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00406B95
                                  • CoGetObject.OLE32(?,00000024,004644E0,00000000), ref: 00406BF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object_wcslen
                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                  • API String ID: 240030777-3166923314
                                  • Opcode ID: 37b0210f552b79fdcc0f43efa47c6e279d7bbc4e5013fe63c4ecb2df5bec6842
                                  • Instruction ID: 6bce67489c7e09321c684eae8049871ec0f9a08aead341868aa49f1d7bf40555
                                  • Opcode Fuzzy Hash: 37b0210f552b79fdcc0f43efa47c6e279d7bbc4e5013fe63c4ecb2df5bec6842
                                  • Instruction Fuzzy Hash: 91110A72901218A6DB10F7D5C845F8E77BCDB44714F11006BF905B2280EB7CCA54867E
                                  Function 004192A3 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00473838), ref: 004192B9
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419308
                                  • GetLastError.KERNEL32 ref: 00419316
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041934E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                  • String ID:
                                  • API String ID: 3587775597-0
                                  • Opcode ID: 68c5141a33e5abcb7a4c128b15e6864829a970fa388a468c6e0bc043f0cc0c38
                                  • Instruction ID: dba20098d3e66f28599fd06314c57e2e3311d68971aa7dbf5ba53787a6468409
                                  • Opcode Fuzzy Hash: 68c5141a33e5abcb7a4c128b15e6864829a970fa388a468c6e0bc043f0cc0c38
                                  • Instruction Fuzzy Hash: 79816371508301ABC304EB61D8959AFB7E8FF94708F50082EF596521D2EF74EA49CB9A
                                  Function 00450E90 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00450F9C
                                  • IsValidCodePage.KERNEL32(00000000), ref: 00450FF7
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00451006
                                  • GetLocaleInfoW.KERNEL32(?,00001001,m3D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045104E
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045106D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID: m3D$m3D$m3D
                                  • API String ID: 745075371-2721598275
                                  • Opcode ID: baefcfb835bb3a09e5ce8c29470c4481051489c84fe072596f635a628af4b507
                                  • Instruction ID: ce2d0ce6400888a1d824562178e0f2167d8bdbd9356f1224e449ae4cf6748fee
                                  • Opcode Fuzzy Hash: baefcfb835bb3a09e5ce8c29470c4481051489c84fe072596f635a628af4b507
                                  • Instruction Fuzzy Hash: 1851A6769002059BEB30DFA5CC45ABFB7B8AF04702F14446BFD04E7292D7B89948CB69
                                  Function 0040B8C7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B915
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040B9E8
                                  • FindClose.KERNEL32(00000000), ref: 0040B9F7
                                  • FindClose.KERNEL32(00000000), ref: 0040BA22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 1164774033-405221262
                                  • Opcode ID: 4249cba5126a2d63357f9743b2c518c08041716af5bc43cf853cd3fd1540627b
                                  • Instruction ID: f7360795b1d381be77360ebb1d09811b65db7e4dd05c1cd4fb36acbf7292fd34
                                  • Opcode Fuzzy Hash: 4249cba5126a2d63357f9743b2c518c08041716af5bc43cf853cd3fd1540627b
                                  • Instruction Fuzzy Hash: 02315031A042195ACB14F7A2DC9AAEE77B8EF50718F10047FF501B21D2EF789A458A9D
                                  Function 0041AC0A Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC65
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC95
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD07
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD14
                                    • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041ACEA
                                  • GetLastError.KERNEL32(?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD35
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD4B
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD52
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD5B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 2341273852-0
                                  • Opcode ID: 0f390db9b924e7f4cc6de0f128792a69a8e67dbc017e2262d63da9aebc2805e1
                                  • Instruction ID: 3339c7fc43e202b61d2d70908da88035b8b5669b3a5f9347cfb7e72bae01768d
                                  • Opcode Fuzzy Hash: 0f390db9b924e7f4cc6de0f128792a69a8e67dbc017e2262d63da9aebc2805e1
                                  • Instruction Fuzzy Hash: 5E31A07280622C9ACB20E761AC48EDB777CAF04305F0401FBF545D2191EF78DAD48A5A
                                  Function 00447A10 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00447A92
                                  • _free.LIBCMT ref: 00447AB6
                                  • _free.LIBCMT ref: 00447C3D
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D204), ref: 00447C4F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00470764,000000FF,00000000,0000003F,00000000,?,?), ref: 00447CC7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004707B8,000000FF,?,0000003F,00000000,?), ref: 00447CF4
                                  • _free.LIBCMT ref: 00447E09
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: a387b2d2763c336cd0f9efd400082f03a7ae001d9dae8456a42e4e8c50b33189
                                  • Instruction ID: 0aa257e2c35749d2f3a928c6468fe730eac10fb1cea6214ff30b616faf06b30b
                                  • Opcode Fuzzy Hash: a387b2d2763c336cd0f9efd400082f03a7ae001d9dae8456a42e4e8c50b33189
                                  • Instruction Fuzzy Hash: 14C15971908245ABFB149F79DC41AAB7BA9EF41318F1440AFE484A7341E7389E43CB9C
                                  Function 0040AF8C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040AFC8
                                  • GetLastError.KERNEL32 ref: 0040AFD2
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040AF93
                                  • UserProfile, xrefs: 0040AF98
                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040AFF8
                                  • [Chrome StoredLogins not found], xrefs: 0040AFEC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 2018770650-1062637481
                                  • Opcode ID: 336d210ba2532f5d22ef439965b85216bc1fef8f3e29d2417ef7fdacb26daba7
                                  • Instruction ID: a37d5e526ed20706eeea9cdf9ddb9e73f46e09c9fe60e21e4a2cfacd82ef4b6e
                                  • Opcode Fuzzy Hash: 336d210ba2532f5d22ef439965b85216bc1fef8f3e29d2417ef7fdacb26daba7
                                  • Instruction Fuzzy Hash: 8001F2B1A802065BCB04B775DC1B8BF7728AD61308B50027FF402B21E2FE39481986CF
                                  Function 00416840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041684D
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00416854
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416866
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416885
                                  • GetLastError.KERNEL32 ref: 0041688B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: b2a577c07cd5a6e11c0a1240a119a4fb26133fa7f03a6e195252090a31f2c8a0
                                  • Instruction ID: d2a690f146848b4c7648309cf1ebff16810b1493f15ef7d05bb093e1d547c9c1
                                  • Opcode Fuzzy Hash: b2a577c07cd5a6e11c0a1240a119a4fb26133fa7f03a6e195252090a31f2c8a0
                                  • Instruction Fuzzy Hash: A2F03A71905229ABDB10ABA0ED0DAEF7FBCEF05612F1000B0B805A1092D6388A04CAF6
                                  Function 00408909 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040890E
                                    • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004089AA
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A08
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408A60
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408A77
                                    • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00472EE0,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E18
                                    • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E23
                                    • Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?,00472EE0,?), ref: 00404E2C
                                  • FindClose.KERNEL32(00000000), ref: 00408C6F
                                    • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00472EE0,?), ref: 00404B27
                                    • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00472EE0,?,?,?,?,?,?,0040545D), ref: 00404B55
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                  • String ID:
                                  • API String ID: 1824512719-0
                                  • Opcode ID: cab433481be2c81fbf7e51d8efca13f680ba1d5db91c2fed064904869947248f
                                  • Instruction ID: d8a72a11d5b22176fcc9823f728123f790ce651a5e6d51f59b88b1622e7f2630
                                  • Opcode Fuzzy Hash: cab433481be2c81fbf7e51d8efca13f680ba1d5db91c2fed064904869947248f
                                  • Instruction Fuzzy Hash: F1B17D729001099BCB14FBA1DD96AEDB378AF40318F50417FF506B61D2EF386A49CB99
                                  Function 00411241 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00410CDF: SetLastError.KERNEL32(0000000D,0041125F,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 00410CE5
                                  • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 0041127A
                                  • GetNativeSystemInfo.KERNEL32(?,0040C7AB,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 004112E8
                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041130C
                                    • Part of subcall function 004111E6: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,0041132A,?,00000000,00003000,00000040,00000000,?,?), ref: 004111F6
                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411353
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041135A
                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041146D
                                    • Part of subcall function 004115BA: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041147A,?,?,?,?,?), ref: 0041162A
                                    • Part of subcall function 004115BA: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00411631
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                  • String ID:
                                  • API String ID: 3950776272-0
                                  • Opcode ID: 2d9f25f71028deac854d3ca95b3ef4d602f7730e40cd8a3a60e3da49976845b9
                                  • Instruction ID: 0cb4cb50e04e4c00dda63c2048a6518c68fbc69f33767e983cf50f1e9feca01c
                                  • Opcode Fuzzy Hash: 2d9f25f71028deac854d3ca95b3ef4d602f7730e40cd8a3a60e3da49976845b9
                                  • Instruction Fuzzy Hash: 7F61D470605201ABD7109F66CD81BAB7BA5BF44740F04416AFE05977A2EBBCD8C1CBD9
                                  Function 004099E3 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(00473040,?,00473040), ref: 00409A17
                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409A22
                                  • GetKeyboardLayout.USER32(00000000), ref: 00409A29
                                  • GetKeyState.USER32(00000010), ref: 00409A33
                                  • GetKeyboardState.USER32(?), ref: 00409A40
                                  • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409A5C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                                  • String ID:
                                  • API String ID: 3566172867-0
                                  • Opcode ID: 2383e54c56fa6515d192b292c1612a46cb947041ff7e3d2d037176f10f249e8a
                                  • Instruction ID: aeedf37edc6dd1a703413de17d62dd48ee8b6b0f748b25ac56bea9041ac92ee6
                                  • Opcode Fuzzy Hash: 2383e54c56fa6515d192b292c1612a46cb947041ff7e3d2d037176f10f249e8a
                                  • Instruction Fuzzy Hash: 35110C7290020CABDB109BA4ED49FDA77ACEB0C316F1004B5FE05E6191E675AA54DBA4
                                  Function 004195A5 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,004191FB,00000000), ref: 004195AE
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,004191FB,00000000), ref: 004195C3
                                  • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195D0
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,004191FB,00000000), ref: 004195DB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195ED
                                  • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195F0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                  • String ID:
                                  • API String ID: 276877138-0
                                  • Opcode ID: 4458733521a0979ca6e2592e4486a2a8f4120580d2394bf64a23f74dfefcc79d
                                  • Instruction ID: 9846d5d3bfd465166b522490e3d014472adb2eb81bdb42509a6f537d7eac31bb
                                  • Opcode Fuzzy Hash: 4458733521a0979ca6e2592e4486a2a8f4120580d2394bf64a23f74dfefcc79d
                                  • Instruction Fuzzy Hash: 43F0E9721052247FD2119F20BCC8DFF27ECDF81BA6B00043AF501921D18F68CD45A5B5
                                  Function 00450558 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443374,?,?,?,?,00442DCB,?,00000004), ref: 0045063A
                                  • _wcschr.LIBVCRUNTIME ref: 004506CA
                                  • _wcschr.LIBVCRUNTIME ref: 004506D8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,t3D,00000000,?), ref: 0045077B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                  • String ID: t3D
                                  • API String ID: 4212172061-694417703
                                  • Opcode ID: b9c9552eaca3d1881d3ae1f5d8ad23bd1f562e179b5fb4d1a587ec592402c2be
                                  • Instruction ID: ba7a9897b5b485b0d00a1d7db932209b8575a85ef4c726eb57bec7d4989f050b
                                  • Opcode Fuzzy Hash: b9c9552eaca3d1881d3ae1f5d8ad23bd1f562e179b5fb4d1a587ec592402c2be
                                  • Instruction Fuzzy Hash: 59610B75500706AAE724AB75CC42A6B73A8EF09705F14046FFD05DB282FB78ED488B69
                                  Function 00450CBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00450FDB,?,00000000), ref: 00450D55
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00450FDB,?,00000000), ref: 00450D7E
                                  • GetACP.KERNEL32(?,?,00450FDB,?,00000000), ref: 00450D93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: e1cc0e8b5d55e55e0692ae403176d07c371e2c9d392849c0dfe23d3819b2362a
                                  • Instruction ID: f4dc62717276faaaa6782721abfec9566da5d0668c2a958c42eb904ffeb84586
                                  • Opcode Fuzzy Hash: e1cc0e8b5d55e55e0692ae403176d07c371e2c9d392849c0dfe23d3819b2362a
                                  • Instruction Fuzzy Hash: 2C21A73AA00205AAD7348F94D900A9B73B6EF54B52B568466ED0DDB203E736ED4DC398
                                  Function 0041A003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A014
                                  • LoadResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A028
                                  • LockResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A02F
                                  • SizeofResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A03E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: 2d1e4ba86f2e32d2beda4657f94b09353a7239f4cfd5f7509494277a44e50716
                                  • Instruction ID: b95858df6d0456d97b6bbc8465da1c17ee9993c19fec26ac2e34289928cab2cf
                                  • Opcode Fuzzy Hash: 2d1e4ba86f2e32d2beda4657f94b09353a7239f4cfd5f7509494277a44e50716
                                  • Instruction Fuzzy Hash: 26E01A76205B10ABC7311FA1BC4CD073F29F789753B100035F909D6321DA358850CA59
                                  Function 00408D1B Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00408D20
                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00408D98
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00408DC1
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408DD8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstH_prologNext
                                  • String ID:
                                  • API String ID: 1157919129-0
                                  • Opcode ID: 040ba2bf4af1f7739dc499a52eede90c6e384094becbb09cfc3ecf1e9f8ad23b
                                  • Instruction ID: b34c8ff471b712c414ce627f555fa5c2b30a51ca04011b772a5ffd3e96ebdc4c
                                  • Opcode Fuzzy Hash: 040ba2bf4af1f7739dc499a52eede90c6e384094becbb09cfc3ecf1e9f8ad23b
                                  • Instruction Fuzzy Hash: 7D8153328001099BCB15EBA1DD969EE77B8AF54308F10417FE446B71E2EF385B49CB98
                                  Function 00407E80 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00407E85
                                  • FindFirstFileW.KERNEL32(00000000,?,004645D0,00000000), ref: 00407F3E
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00407F66
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00407F73
                                  • FindClose.KERNEL32(00000000), ref: 00408089
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                  • String ID:
                                  • API String ID: 1771804793-0
                                  • Opcode ID: 3be87338c5ccde4bda33af4eb2d46d3e673b372e7a4938fc398457580a3d2888
                                  • Instruction ID: eb919791392cef61e63247088396cac0e0337327006fc65e235cea095d5a35b6
                                  • Opcode Fuzzy Hash: 3be87338c5ccde4bda33af4eb2d46d3e673b372e7a4938fc398457580a3d2888
                                  • Instruction Fuzzy Hash: 2F51517190020996CB04FBA1DD969DD77A8AF50308F50457FF846B31E2EF389B49CB9A
                                  Function 00406524 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406630
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406714
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadExecuteFileShell
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                  • API String ID: 2825088817-3056885514
                                  • Opcode ID: 0ade162c15b8e3d2f407354020356f0b1814df9a547fde063a5fcd942968d10d
                                  • Instruction ID: 0db7feb28fe899170bc1ff05edd6f0e9b1c7309e9c1e85d08ff0b0aee6ae3b0b
                                  • Opcode Fuzzy Hash: 0ade162c15b8e3d2f407354020356f0b1814df9a547fde063a5fcd942968d10d
                                  • Instruction Fuzzy Hash: 2C61E531A0430157CA14FB75C8A69BE77A99FD1308F10093FF942771D2EE3D8919869B
                                  Function 0041B35B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041B450
                                    • Part of subcall function 00412A57: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412A66
                                    • Part of subcall function 00412A57: RegSetValueExA.KERNELBASE(?,00465480,00000000,?,00000000,00000000,00473238,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A8E
                                    • Part of subcall function 00412A57: RegCloseKey.KERNELBASE(?,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A99
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 4127273184-3576401099
                                  • Opcode ID: 0f7ffe8b6e80eb567ecb63e6802e6f86dd5102a9c92cc4e5d19f473a58613ae7
                                  • Instruction ID: 353071605875722e2d2290b0d1df67e202755458c4192b98c6391b796ea34086
                                  • Opcode Fuzzy Hash: 0f7ffe8b6e80eb567ecb63e6802e6f86dd5102a9c92cc4e5d19f473a58613ae7
                                  • Instruction Fuzzy Hash: 96114D32F8061036D918317A4E1BBAE28068786F50F55815FFB013A2C6E5CF5AB143CF
                                  Function 00450943 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450997
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004509E8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450AA8
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                  • String ID:
                                  • API String ID: 2829624132-0
                                  • Opcode ID: 23d8e905687bc38429d1be92d1a08982c83e9c62d6a5deb4e14a37c3f35087c4
                                  • Instruction ID: da7bcabd89bfc395045dfa7eb9e966dc36f5abb2093a3d853536695ab6a7a704
                                  • Opcode Fuzzy Hash: 23d8e905687bc38429d1be92d1a08982c83e9c62d6a5deb4e14a37c3f35087c4
                                  • Instruction Fuzzy Hash: E361A3795002079FEB289F64CC82B7B77A8EF14306F1081ABED05C6246E778ED49CB58
                                  Function 0043A3F1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A4E9
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A4F3
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A500
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 544a3ea7fff3e3fd303db8147e01e1c016785345ebc81d263e55c6614bc6e9fb
                                  • Instruction ID: 1402d3c3d6381031a2721457eed26b4c58248f3cce99d36bfdd4232644ff5fa2
                                  • Opcode Fuzzy Hash: 544a3ea7fff3e3fd303db8147e01e1c016785345ebc81d263e55c6614bc6e9fb
                                  • Instruction Fuzzy Hash: 3031D37590132CABCB21DF24D88879DBBB8AF08315F5052EAE81CA7251E7749B858F49
                                  Function 00441B85 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,00441B5B,?), ref: 00441BA6
                                  • TerminateProcess.KERNEL32(00000000,?,00441B5B,?), ref: 00441BAD
                                  • ExitProcess.KERNEL32 ref: 00441BBF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: ff5056bf36bedea9d2f3910c34989f8e11af6edf1d36431677989e12fa233f4a
                                  • Instruction ID: 3981a427e79a20866ec782955a96dc1f6ef246171a4a80411b7f48c71aa59ebf
                                  • Opcode Fuzzy Hash: ff5056bf36bedea9d2f3910c34989f8e11af6edf1d36431677989e12fa233f4a
                                  • Instruction Fuzzy Hash: 18E0BF31005348ABDF116F65EE49E593B69EB44356F0040A5F8094A632DB39ED82CA88
                                  Function 0044D0F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: eb39091a66b90e585f9b8de1188895b1ce3c987d0d7c23a11321f6f6f58edeb2
                                  • Instruction ID: a605d271e407c9958f5ebfb9e98191da8a3e066373b5453ef71e7620c58a5f30
                                  • Opcode Fuzzy Hash: eb39091a66b90e585f9b8de1188895b1ce3c987d0d7c23a11321f6f6f58edeb2
                                  • Instruction Fuzzy Hash: CA313571D00209AFEB249E79CC84EEB7BBDEB86308F1401AEF819D3251E6349D408B64
                                  Function 0045081B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                  • EnumSystemLocalesW.KERNEL32(00450943,00000001,00000000,?,m3D,?,00450F70,00000000,?,?,?), ref: 0045088D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: m3D
                                  • API String ID: 1084509184-982802904
                                  • Opcode ID: d13ce46db01857b44c754fc5ec7763bcb35d9ccf5c388861a977e99f0991b4a0
                                  • Instruction ID: 15c25865bd57dd9ed052f6de1c9d4bc0c6d7c90143c64c40a76a96693f8e609e
                                  • Opcode Fuzzy Hash: d13ce46db01857b44c754fc5ec7763bcb35d9ccf5c388861a977e99f0991b4a0
                                  • Instruction Fuzzy Hash: 3E118C3B2007019FEB18AF39C8916BAB791FF80319B14883EED4647701D775B906C780
                                  Function 004508B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                  • EnumSystemLocalesW.KERNEL32(00450B93,00000001,?,?,m3D,?,00450F34,m3D,?,?,?,?,?,0044336D,?,?), ref: 00450902
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: m3D
                                  • API String ID: 1084509184-982802904
                                  • Opcode ID: 26991cba7bbc86e1919f10754b8b785b2ecdf25adbba73174a712f5d5bc6d13d
                                  • Instruction ID: 5dea69f9d697fc4293d0711e1b08fce8c3201d78217ba2bcd737ffac06997e55
                                  • Opcode Fuzzy Hash: 26991cba7bbc86e1919f10754b8b785b2ecdf25adbba73174a712f5d5bc6d13d
                                  • Instruction Fuzzy Hash: A5F0283A3003055FDB146F359C81A66BB95EF81759F15883EFD418B642D675AC018744
                                  Function 0044716D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00442DCB,?,00000004), ref: 004471C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: GetLocaleInfoEx
                                  • API String ID: 2299586839-2904428671
                                  • Opcode ID: 2c80f62870bc465dbeaf3c9209bb9ced0744fbcbc410adbe038e870c8c2fc236
                                  • Instruction ID: 1399f742e217acd12c1245ecdfc534ed39672f07150ba9ee3c651a9906310cab
                                  • Opcode Fuzzy Hash: 2c80f62870bc465dbeaf3c9209bb9ced0744fbcbc410adbe038e870c8c2fc236
                                  • Instruction Fuzzy Hash: 3BF0F031A44208BBDB11AF61DC06F6E7F65EF08701F00406AFC0966292CB798E15DAAE
                                  Function 00418650 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 004188A6
                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418972
                                    • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$CreateFirstNext
                                  • String ID:
                                  • API String ID: 341183262-0
                                  • Opcode ID: 90de620b768e0d5432e28704ddbe5336d28ace6e771a226f939c47cc78ca68f2
                                  • Instruction ID: 4e170b996662dc82c888af41f7fe9c50681d869d22ff8177fab8d840ae628c7b
                                  • Opcode Fuzzy Hash: 90de620b768e0d5432e28704ddbe5336d28ace6e771a226f939c47cc78ca68f2
                                  • Instruction Fuzzy Hash: C68162715082415BC314FB62C896DEFB3A9AF90308F50493FF546631E2EF389A49C69E
                                  Function 00406EB0 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ECB
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406F93
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNextsend
                                  • String ID:
                                  • API String ID: 4113138495-0
                                  • Opcode ID: 0243c29a5c44da57c52cc3e0e2833ac61aa8cd16a29796b0feb2370dfdd7c598
                                  • Instruction ID: da33ce525bc8868546fe2e6bcae83f091993c6b7fab0c7b7f9de5ed664394571
                                  • Opcode Fuzzy Hash: 0243c29a5c44da57c52cc3e0e2833ac61aa8cd16a29796b0feb2370dfdd7c598
                                  • Instruction Fuzzy Hash: F92143311043015BC714FB61DD96DEFB7ACEF90358F400A3EF596621D1EF389A09865A
                                  Function 0043354D Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00433566
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-0
                                  • Opcode ID: 10d0db48ad41214a457a840dc0a8d4848e401eea1aef23fd8bf6dc7a295d9120
                                  • Instruction ID: a2294149a4fe3e39a77fcac35e687f8d246c97dff2426aff95b936701e7ffbe2
                                  • Opcode Fuzzy Hash: 10d0db48ad41214a457a840dc0a8d4848e401eea1aef23fd8bf6dc7a295d9120
                                  • Instruction Fuzzy Hash: 02516B71D002089FEB24CFA9E98669EBBF4FB08315F14917AD455E7350E374AA04CFA5
                                  Function 00450B93 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450BE7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: 4597e0029ea091ecb2ebf5e98482b9f6fcb85861c7a3cfe2c1e922654fb1815e
                                  • Instruction ID: d6adf83c33703ae5228b67ec7a49f9fec95c79c937f4ddcaaa5f3f490f6395be
                                  • Opcode Fuzzy Hash: 4597e0029ea091ecb2ebf5e98482b9f6fcb85861c7a3cfe2c1e922654fb1815e
                                  • Instruction Fuzzy Hash: DB21D6365002069BDB2D9F25DC42A7773ACEB06316F1001BBFD05D6242EB78ED88CB59
                                  Function 00450DC3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00450B61,00000000,00000000,?), ref: 00450DEF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: 10618e774f34a6619048d0637102a68081d551e0a0db41e4c1e10200fba24050
                                  • Instruction ID: 265ab6a49acb69b6371535c2f9c40041978aee9ae2e746c74d294b287eb083f8
                                  • Opcode Fuzzy Hash: 10618e774f34a6619048d0637102a68081d551e0a0db41e4c1e10200fba24050
                                  • Instruction Fuzzy Hash: 41F0493AA40117ABDB245A64C8077BB7B68EB00315F148C6AEC05A3241EA38FD0986D4
                                  Function 00446C84 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00444189: EnterCriticalSection.KERNEL32(-00066892,?,004418AB,00000000,0046C868,0000000C,00441866,?,?,?,00444427,?,?,00446B4A,00000001,00000364), ref: 00444198
                                  • EnumSystemLocalesW.KERNEL32(00446C3E,00000001,0046CA10,0000000C), ref: 00446CBC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: aa06587be2c9cb8b071f33295b8cbec66515d87765e7fc573258893074f482cb
                                  • Instruction ID: 8a714871f2e0af15b08c3d487532fbc1d9fceb156b6070508e72b175ec7fb5e6
                                  • Opcode Fuzzy Hash: aa06587be2c9cb8b071f33295b8cbec66515d87765e7fc573258893074f482cb
                                  • Instruction Fuzzy Hash: F4F04F72610204EFE714EF68E886B5D77E0EB05725F10813BF844DB2E2DB799A808F59
                                  Function 004507D0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                  • EnumSystemLocalesW.KERNEL32(00450727,00000001,?,?,?,00450F92,m3D,?,?,?,?,?,0044336D,?,?,?), ref: 00450807
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 9174a0c065a7b49ba50cb90ab7ddfc1d90f3254fc2b27fe64f266881c7e4a03e
                                  • Instruction ID: 6cc6cd71b12713b10ec057b6d25e2a24f4d08592f735aee3b5647b3ea735c769
                                  • Opcode Fuzzy Hash: 9174a0c065a7b49ba50cb90ab7ddfc1d90f3254fc2b27fe64f266881c7e4a03e
                                  • Instruction Fuzzy Hash: 6DF05C3930024597CB049F35DC05A6BBF50EFC2755B06805EEE058B641C635AC46CB54
                                  Function 0040EE14 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00414839,00472EC8,00473950,00472EC8,00000000,00472EC8,00000000,00472EC8,4.6.0 Pro), ref: 0040EE28
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 55fa4587c3ace90d4b2fee4f72fbc60d66f8dd621eb913bd28efc0a32108dec6
                                  • Instruction ID: f278ed4507f78d565aa92993a3921e54a570b3fb05803534b7f05061c5bfe0db
                                  • Opcode Fuzzy Hash: 55fa4587c3ace90d4b2fee4f72fbc60d66f8dd621eb913bd28efc0a32108dec6
                                  • Instruction Fuzzy Hash: C0D05B30B4421C77E51096859C0AFAB7B9CD701B52F0001A6BA04D72C0D9E15E0087D5
                                  Function 00433452 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0003345E,00433185), ref: 00433457
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: fb3aaaa52268b5920dbf3edef77856ac2629be7d88f1c4c86b65aace9ef12b18
                                  • Instruction ID: 3c5ffc1f6ca5581617dc18551564c5a1f11bccfc48c0ed950457c3a26c38d402
                                  • Opcode Fuzzy Hash: fb3aaaa52268b5920dbf3edef77856ac2629be7d88f1c4c86b65aace9ef12b18
                                  • Instruction Fuzzy Hash:
                                  Function 0040C929 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 281registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                                    • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040CA21
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040CA34
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040CA4D
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040CA7D
                                    • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(Function_00009880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                                    • Part of subcall function 0040AE1C: UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                                    • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(Function_0000986A,00000000,?,pth_unenc), ref: 0040AE4D
                                    • Part of subcall function 0041AD6A: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041AE89,00000000,00000000,?), ref: 0041ADA9
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040CCC8
                                  • ExitProcess.KERNEL32 ref: 0040CCD4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: """, 0$")$(PF$82G$@-G$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$P2G$P2G$P2G$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 1861856835-3214438867
                                  • Opcode ID: 6ac48dc816dc3b95a39b07fc92ec992f80d0945b9bd3827ca5f28a8faab99013
                                  • Instruction ID: f36577c89e8dd83dec34a85844eba9d7716d9325f3a0deb710764ed536580f15
                                  • Opcode Fuzzy Hash: 6ac48dc816dc3b95a39b07fc92ec992f80d0945b9bd3827ca5f28a8faab99013
                                  • Instruction Fuzzy Hash: 059182712042405BC718FB62D892AEF77E99F90308F10453FF546A71E2EE789D49C69E
                                  Function 00417A23 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417A3D
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00417A4A
                                    • Part of subcall function 00417E84: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00417EB4
                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00417AC0
                                  • DeleteDC.GDI32(00000000), ref: 00417AD7
                                  • DeleteDC.GDI32(00000000), ref: 00417ADA
                                  • DeleteObject.GDI32(00000000), ref: 00417ADD
                                  • SelectObject.GDI32(00000000,00000000), ref: 00417AFE
                                  • DeleteDC.GDI32(00000000), ref: 00417B0F
                                  • DeleteDC.GDI32(00000000), ref: 00417B12
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00417B36
                                  • GetIconInfo.USER32(?,?), ref: 00417B6A
                                  • DeleteObject.GDI32(?), ref: 00417B99
                                  • DeleteObject.GDI32(?), ref: 00417BA6
                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00417BB3
                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00417BCB
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417C3A
                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 00417CA9
                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417CCD
                                  • DeleteDC.GDI32(?), ref: 00417CE1
                                  • DeleteDC.GDI32(00000000), ref: 00417CE4
                                  • DeleteObject.GDI32(00000000), ref: 00417CE7
                                  • GlobalFree.KERNEL32(?), ref: 00417CF2
                                  • DeleteObject.GDI32(00000000), ref: 00417DA6
                                  • GlobalFree.KERNEL32(?), ref: 00417DAD
                                  • DeleteDC.GDI32(?), ref: 00417DBD
                                  • DeleteDC.GDI32(00000000), ref: 00417DC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                  • String ID: DISPLAY
                                  • API String ID: 479521175-865373369
                                  • Opcode ID: bf6f05e164225dc6d11b1f54ddb9184b048601555f5d19c18918d9f8b72fe3ce
                                  • Instruction ID: 14e7487399ba1fd70ea331c62ec4cafd0bb9d4ecd5deee876d7c9955afd64b2a
                                  • Opcode Fuzzy Hash: bf6f05e164225dc6d11b1f54ddb9184b048601555f5d19c18918d9f8b72fe3ce
                                  • Instruction Fuzzy Hash: E5B138715083059FD720AF24DD44BABBBF8EF88755F00482EF98993291EB34E945CB5A
                                  Function 00416FDD Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417024
                                  • GetProcAddress.KERNEL32(00000000), ref: 00417027
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417038
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041703B
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041704C
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041704F
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00417060
                                  • GetProcAddress.KERNEL32(00000000), ref: 00417063
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00417105
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041711D
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00417133
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00417159
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004171DB
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004171EF
                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041722F
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 004172F9
                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00417316
                                  • ResumeThread.KERNEL32(?), ref: 00417323
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041733A
                                  • GetCurrentProcess.KERNEL32(?), ref: 00417345
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 00417360
                                  • GetLastError.KERNEL32 ref: 00417368
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                  • API String ID: 4188446516-3035715614
                                  • Opcode ID: b09713fd60689f017e420b393c6ced870b96dd58d2ec877479bf71d34cdbe797
                                  • Instruction ID: 266150a76addbd25bf96a89ad10f512fef98d9a90c2618b82beff4a0ecbb5786
                                  • Opcode Fuzzy Hash: b09713fd60689f017e420b393c6ced870b96dd58d2ec877479bf71d34cdbe797
                                  • Instruction Fuzzy Hash: E1A15DB0548304EFD7209F61DC85BAB7BF8FB48705F10042AFA55D6291D778E884CB6A
                                  Function 0040C5A4 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 259registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                                    • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C6AE
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C6C1
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C6F1
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C700
                                    • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(Function_00009880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                                    • Part of subcall function 0040AE1C: UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                                    • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(Function_0000986A,00000000,?,pth_unenc), ref: 0040AE4D
                                    • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,6BEF8300,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040C91B
                                  • ExitProcess.KERNEL32 ref: 0040C922
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: ")$.vbs$82G$@-G$On Error Resume Next$P2G$P2G$P2G(PF$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                  • API String ID: 3797177996-790292332
                                  • Opcode ID: 651557d56ab48babcb6b12b1d235041bbb77a569bfba6164debd633ea0c8ba4e
                                  • Instruction ID: 6e45ccf0452d088d16b27cf02e05fcd52a39cd31be9773de80b43fbe075aaa7b
                                  • Opcode Fuzzy Hash: 651557d56ab48babcb6b12b1d235041bbb77a569bfba6164debd633ea0c8ba4e
                                  • Instruction Fuzzy Hash: F7817F716043405BC718FB62D8929AF73E9AF90308F10493FB546A71E2EE7C9D49C69E
                                  Function 004119B8 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 190synchronizationsleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,00473298,00000003), ref: 004119D7
                                  • ExitProcess.KERNEL32(00000000), ref: 004119E3
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00411A5D
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00411A6C
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411A77
                                  • CloseHandle.KERNEL32(00000000), ref: 00411A7E
                                  • GetCurrentProcessId.KERNEL32 ref: 00411A84
                                  • PathFileExistsW.SHLWAPI(?), ref: 00411AB5
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00411B18
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411B32
                                  • lstrcatW.KERNEL32(?,.exe), ref: 00411B44
                                    • Part of subcall function 0041AD6A: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041AE89,00000000,00000000,?), ref: 0041ADA9
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411B84
                                  • Sleep.KERNEL32(000001F4), ref: 00411BC5
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00411BDA
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411BE5
                                  • CloseHandle.KERNEL32(00000000), ref: 00411BEC
                                  • GetCurrentProcessId.KERNEL32 ref: 00411BF2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                  • String ID: .exe$82G$82G$82G$WDH$exepath$open$p3G$temp_
                                  • API String ID: 2649220323-3724276308
                                  • Opcode ID: b2e06cf259adce29e5b9a6f61894e54fc161aec0f21a16602573b073eab7af32
                                  • Instruction ID: 22e993795ca5e5f4b94ea2bece14d6f4ece3e8e9738639780bf53f9b9ba412ff
                                  • Opcode Fuzzy Hash: b2e06cf259adce29e5b9a6f61894e54fc161aec0f21a16602573b073eab7af32
                                  • Instruction Fuzzy Hash: D251F871A043157BDB10A7A0AC99EEF336C9B04715F1001BBF905A72D2EF789E858A5D
                                  Function 0040C307 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 203fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040C315
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00473298,0000000B,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040C32E
                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000000,?,00473298,0000000B,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040C3DE
                                  • _wcslen.LIBCMT ref: 0040C3F4
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040C47C
                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000), ref: 0040C492
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040C4D1
                                  • _wcslen.LIBCMT ref: 0040C4D4
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040C4EB
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00473298,0000000B), ref: 0040C53B
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000001), ref: 0040C559
                                  • ExitProcess.KERNEL32 ref: 0040C570
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                  • String ID: 2G$ 2G$6$82G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$P2G$P2G$P2G$P2G$P2G$del$open
                                  • API String ID: 1579085052-428073613
                                  • Opcode ID: bfab0396712cdb6fceb415df2e397e9bfb2972d7f202014a74839231b5077f1f
                                  • Instruction ID: 2a47eddb00df912b126377051a92c71841ea904bf6b40c506a6d22bed5b78104
                                  • Opcode Fuzzy Hash: bfab0396712cdb6fceb415df2e397e9bfb2972d7f202014a74839231b5077f1f
                                  • Instruction Fuzzy Hash: 3E51C461204340ABD614B7B2EC92A7F2399AF90708F10843FF805A62D3DF7C9D0592AF
                                  Function 00419BA2 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00419C97
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419CAB
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00464074), ref: 00419CD3
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00472EC8,00000000), ref: 00419CE9
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419D2A
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00419D42
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00419D57
                                  • SetEvent.KERNEL32 ref: 00419D74
                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 00419D85
                                  • CloseHandle.KERNEL32 ref: 00419D95
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419DB7
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00419DC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                  • API String ID: 738084811-1354618412
                                  • Opcode ID: 13cdc97dd22d99cd2db1ceedcc73f90d3833d7188593cccb55647e3260286f43
                                  • Instruction ID: 455b6cfaa5a4d4cea25ac99553b3555d96430d1d1c5ac1129c3b59e21b3d00b1
                                  • Opcode Fuzzy Hash: 13cdc97dd22d99cd2db1ceedcc73f90d3833d7188593cccb55647e3260286f43
                                  • Instruction Fuzzy Hash: 8751C5712442056FD214F761EC92EAF369DEB80348F10443FF546A21E2EE789D898A6F
                                  Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                                  • WriteFile.KERNEL32(00000000,00470AAA,00000002,00000000,00000000), ref: 00401B45
                                  • WriteFile.KERNEL32(00000000,00470AAC,00000004,00000000,00000000), ref: 00401B55
                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                                  • WriteFile.KERNEL32(00000000,00470AB6,00000002,00000000,00000000), ref: 00401B87
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: e9244d672c59e0ffd74479715dd62bb2a6f89e2f1e0128d42166dc8543c173f0
                                  • Instruction ID: bbc7d4a3c977ff0e2710d2a536ed23c0b0e069a4161f47bce29e1ad9506f00c9
                                  • Opcode Fuzzy Hash: e9244d672c59e0ffd74479715dd62bb2a6f89e2f1e0128d42166dc8543c173f0
                                  • Instruction Fuzzy Hash: 8D412EB2654318BAE210DE51DD85FBB7EECEB85B50F40441AFA44D60C0D7A4E909DBB3
                                  Function 004068E4 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000001,00406CC1,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000003,00406CE9,00473220,00406D42), ref: 004068F8
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406901
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 00406916
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406919
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 0040692A
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040692D
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 0040693E
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406941
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00406952
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406955
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 00406966
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406969
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                  • API String ID: 1646373207-255920310
                                  • Opcode ID: c5d62d6da54eaf1f5e298c1ce3456973680903e04872b744077958239b2d5770
                                  • Instruction ID: df219cf26e896b26ca7b17cc0f8dfcb6cf109bc3019751d44b8154791cbbdf11
                                  • Opcode Fuzzy Hash: c5d62d6da54eaf1f5e298c1ce3456973680903e04872b744077958239b2d5770
                                  • Instruction Fuzzy Hash: 190175E1A4130AAADB10777A6C58D476EDC9EA13503120937B405E2691EEBCD8908D6C
                                  Function 0044DCAD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$EnvironmentVariable$_wcschr
                                  • String ID:
                                  • API String ID: 3899193279-0
                                  • Opcode ID: dcae89719070f5e43a69685a16df3d7dfddf94d936716f055945bb6679d207b1
                                  • Instruction ID: 70a147eeefff8d80a420db1d2de74d9c70af01ffcddfc6d33a5ace776a2fbf8c
                                  • Opcode Fuzzy Hash: dcae89719070f5e43a69685a16df3d7dfddf94d936716f055945bb6679d207b1
                                  • Instruction Fuzzy Hash: B0D137B1D01701ABFB30AF76D882A6E7BA4AF05718F04456FF94597382EB3D9840879C
                                  Function 004140CD Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041411C
                                  • LoadLibraryA.KERNEL32(?), ref: 0041415E
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041417E
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414185
                                  • LoadLibraryA.KERNEL32(?), ref: 004141BD
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004141CF
                                  • FreeLibrary.KERNEL32(00000000), ref: 004141D6
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004141E5
                                  • FreeLibrary.KERNEL32(00000000), ref: 004141FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                  • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                  • API String ID: 2490988753-744132762
                                  • Opcode ID: d30bf5144b07c6523917f2ebe4b756d5bb383713da0f8795a0bb91b899a473ae
                                  • Instruction ID: ec032a2b9b2afcf1944104fdbdee5c9b5016f8d194ad9eb48286684fedf55356
                                  • Opcode Fuzzy Hash: d30bf5144b07c6523917f2ebe4b756d5bb383713da0f8795a0bb91b899a473ae
                                  • Instruction Fuzzy Hash: 4A31B1B250671167D320DF65DC48ECB7ADCAB84794F040A6AF844A3201E73CDAD48BAF
                                  Function 0041B008 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B02A
                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B06E
                                  • RegCloseKey.ADVAPI32(?), ref: 0041B338
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumOpen
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1332880857-3714951968
                                  • Opcode ID: 2a580cea4b1912eb3d55e9a045cb2cb1a96f83a74ba503d9a6df37afff02949c
                                  • Instruction ID: 996ba4e169512d105bf10ccdef0111c5bf25efe0ecf00969fbd19f1ec1e96d73
                                  • Opcode Fuzzy Hash: 2a580cea4b1912eb3d55e9a045cb2cb1a96f83a74ba503d9a6df37afff02949c
                                  • Instruction Fuzzy Hash: 688123711082459BD324EB51D891EEFB3E8EF94308F50493FF586921D2EF349949CA9A
                                  Function 0041BE9A Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041BEE5
                                  • GetCursorPos.USER32(?), ref: 0041BEF4
                                  • SetForegroundWindow.USER32(?), ref: 0041BEFD
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041BF17
                                  • Shell_NotifyIconA.SHELL32(00000002,00472B20), ref: 0041BF68
                                  • ExitProcess.KERNEL32 ref: 0041BF70
                                  • CreatePopupMenu.USER32 ref: 0041BF76
                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041BF8B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 671d0a36089a7764a87accef62fbf46538a6333771b6ae1721ed7aed7857f9ea
                                  • Instruction ID: dfe43188851c1a6f81b140f94b5f6a7c696d7e25908ee8c8785907bb885635e0
                                  • Opcode Fuzzy Hash: 671d0a36089a7764a87accef62fbf46538a6333771b6ae1721ed7aed7857f9ea
                                  • Instruction Fuzzy Hash: AC212631108209BFDB054FA4ED0DEAA3B65FB08312F104539FE05A01B1D7B6D9A1EF59
                                  Function 00444657 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: a8cc77335abd681ecdd4907e4e1c8762169d6c95eeac57854194a817c881b2f5
                                  • Instruction ID: ad40bc67768ff577a85139c61b858be7675e1a203c69b77c022c2f93fc340f39
                                  • Opcode Fuzzy Hash: a8cc77335abd681ecdd4907e4e1c8762169d6c95eeac57854194a817c881b2f5
                                  • Instruction Fuzzy Hash: D5B1AFB1900245AFEB20DF79C881BAFBBF4BF49304F14406EF495A7352DB7998419B64
                                  Function 0044FB46 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 0044FB8A
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044ED9F
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDB1
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDC3
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDD5
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDE7
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDF9
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE0B
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE1D
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE2F
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE41
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE53
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE65
                                    • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE77
                                  • _free.LIBCMT ref: 0044FB7F
                                    • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                                    • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                                  • _free.LIBCMT ref: 0044FBA1
                                  • _free.LIBCMT ref: 0044FBB6
                                  • _free.LIBCMT ref: 0044FBC1
                                  • _free.LIBCMT ref: 0044FBE3
                                  • _free.LIBCMT ref: 0044FBF6
                                  • _free.LIBCMT ref: 0044FC04
                                  • _free.LIBCMT ref: 0044FC0F
                                  • _free.LIBCMT ref: 0044FC47
                                  • _free.LIBCMT ref: 0044FC4E
                                  • _free.LIBCMT ref: 0044FC6B
                                  • _free.LIBCMT ref: 0044FC83
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: b7ef605ccd965c869b2e05edb79bfb80bd9a0298b636961e3ec43af93a1375b9
                                  • Instruction ID: 3ab02cf78170ad634f8d0de65b9125c41ac80f736b079e9f2e4498fa10b99b54
                                  • Opcode Fuzzy Hash: b7ef605ccd965c869b2e05edb79bfb80bd9a0298b636961e3ec43af93a1375b9
                                  • Instruction Fuzzy Hash: 28316D71500A069FFF309A3AE846B5B73E8FF01318F10842FE498D6252DB39EC448B58
                                  Function 004081EE Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408357
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 0040838F
                                  • __aulldiv.LIBCMT ref: 004083C1
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 004084E4
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004084FF
                                  • CloseHandle.KERNEL32(00000000), ref: 004085D8
                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408622
                                  • CloseHandle.KERNEL32(00000000), ref: 00408670
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                  • API String ID: 3086580692-2596673759
                                  • Opcode ID: e5c8ebcebdea43ccca26688170e863ccb4068e6efc03c66e31fcb32368835e15
                                  • Instruction ID: 2e3c2baa84d0001f6d92d6a12086262f6ba3ffa6ab37ef3033deaea4bc0aa555
                                  • Opcode Fuzzy Hash: e5c8ebcebdea43ccca26688170e863ccb4068e6efc03c66e31fcb32368835e15
                                  • Instruction Fuzzy Hash: 31B1C1316083409BC314FB65C981AAFB7E9AFC4354F40492FF489622D2EF789945CB9B
                                  Function 0040CD03 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                                    • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                                    • Part of subcall function 004129E0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                                    • Part of subcall function 004129E0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                                    • Part of subcall function 004129E0: RegCloseKey.ADVAPI32(00000000), ref: 00412A20
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040CD5D
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040CEBC
                                  • ExitProcess.KERNEL32 ref: 0040CEC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                  • String ID: """, 0$.vbs$82G$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                  • API String ID: 1913171305-4128442165
                                  • Opcode ID: 7a2a6715b822cb0a197a9b288dc9e3d52940fc921b5c12fb069178834d2e8cd7
                                  • Instruction ID: 0874bc144836ff93359e0d920a8661d2d2bf12b9c69f7d2e1fc1beb4cd6de9cb
                                  • Opcode Fuzzy Hash: 7a2a6715b822cb0a197a9b288dc9e3d52940fc921b5c12fb069178834d2e8cd7
                                  • Instruction Fuzzy Hash: C9414F319101185ACB14F7A2DC96DEE77B9AF50708F10017FF506B21E2EE385A4ACA99
                                  Function 0044EE80 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 81053f9c94f3d198c50d80b60ac2f365dac252c2faa5b35674da0a71a95d3b8d
                                  • Instruction ID: f43520f85eab2823aefddca190de3c75bdb19f5807818d4f337798dcfd7c07fb
                                  • Opcode Fuzzy Hash: 81053f9c94f3d198c50d80b60ac2f365dac252c2faa5b35674da0a71a95d3b8d
                                  • Instruction Fuzzy Hash: 18C14476E40205AFEB20DBA9CC42FEF77F8AB18704F14416AFA04FB286D6749D458764
                                  Function 00411FF7 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412010
                                    • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,6BEF8300,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                                    • Part of subcall function 00417456: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00463E44), ref: 0041746C
                                    • Part of subcall function 00417456: CloseHandle.KERNEL32(D>F,?,?,004040D5,00463E44), ref: 00417475
                                  • Sleep.KERNEL32(0000000A,00463E44), ref: 00412162
                                  • Sleep.KERNEL32(0000000A,00463E44,00463E44), ref: 00412204
                                  • Sleep.KERNEL32(0000000A,00463E44,00463E44,00463E44), ref: 004122A6
                                  • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 00412308
                                  • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 0041233F
                                  • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 0041237B
                                  • Sleep.KERNEL32(000001F4,00463E44,00463E44,00463E44), ref: 00412395
                                  • Sleep.KERNEL32(00000064), ref: 004123D7
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                  • String ID: /stext "
                                  • API String ID: 1223786279-3856184850
                                  • Opcode ID: 444b939c82760aff1e4ae09b2878ab349068384173b1466bbeafd9312194bd28
                                  • Instruction ID: fc4ad0b7eed9c60d5fc35351bb25392cbbf70f9ec0b82e477513c0ff0abfdd60
                                  • Opcode Fuzzy Hash: 444b939c82760aff1e4ae09b2878ab349068384173b1466bbeafd9312194bd28
                                  • Instruction Fuzzy Hash: A70246315083414AC328FB61D891AEFB3D5AFD4348F50493FF48A931E2EF789A49C65A
                                  Function 004544DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004541AA: CreateFileW.KERNEL32(00000000,00000000,?,00454585,?,?,00000000,?,00454585,00000000,0000000C), ref: 004541C7
                                  • GetLastError.KERNEL32 ref: 004545F0
                                  • __dosmaperr.LIBCMT ref: 004545F7
                                  • GetFileType.KERNEL32(00000000), ref: 00454603
                                  • GetLastError.KERNEL32 ref: 0045460D
                                  • __dosmaperr.LIBCMT ref: 00454616
                                  • CloseHandle.KERNEL32(00000000), ref: 00454636
                                  • CloseHandle.KERNEL32(?), ref: 00454780
                                  • GetLastError.KERNEL32 ref: 004547B2
                                  • __dosmaperr.LIBCMT ref: 004547B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: fdd6ef0341d715ca66b4f226cea273408d1dce2abc93341c621d467a1a4981a0
                                  • Instruction ID: e7023db14128a88f38c155e4c92a359c255939900931c8e81202aef98a64c706
                                  • Opcode Fuzzy Hash: fdd6ef0341d715ca66b4f226cea273408d1dce2abc93341c621d467a1a4981a0
                                  • Instruction Fuzzy Hash: 49A148319141089FDF199F68DC517AE3BA0AF4A329F14015EFC11DF392D7388856CB9A
                                  Function 00413EF7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 65535$udp
                                  • API String ID: 0-1267037602
                                  • Opcode ID: f017f730da5f423951df016acc56fe018b36abbe325d1b6e8ffc0416dff523dd
                                  • Instruction ID: dec2bdb26369982db7c5889bd327832f44181b2331e29388f4f60b1078a915a5
                                  • Opcode Fuzzy Hash: f017f730da5f423951df016acc56fe018b36abbe325d1b6e8ffc0416dff523dd
                                  • Instruction Fuzzy Hash: A551E235649301ABE7209E26D904BA77BE4ABC8711F08082FFA4593390D67DCDC18A5F
                                  Function 0043913A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439192
                                  • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043919F
                                  • __dosmaperr.LIBCMT ref: 004391A6
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004391D2
                                  • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004391DC
                                  • __dosmaperr.LIBCMT ref: 004391E3
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 00439226
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439230
                                  • __dosmaperr.LIBCMT ref: 00439237
                                  • _free.LIBCMT ref: 00439243
                                  • _free.LIBCMT ref: 0043924A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                  • String ID:
                                  • API String ID: 2441525078-0
                                  • Opcode ID: 36c92f70edf6872b9f14a0353817578da13524950d77874f46d04974b582e123
                                  • Instruction ID: 02b817c51ddb1bfcd431cbf40756152772ff8ffa7747545afeb7dfc7970056dd
                                  • Opcode Fuzzy Hash: 36c92f70edf6872b9f14a0353817578da13524950d77874f46d04974b582e123
                                  • Instruction Fuzzy Hash: 5A31D37140460BBFEF116FA5DC45CAF3B68EF09325F1002AAF810662A1DB78CD10DBA9
                                  Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 0040549F
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
                                  • TranslateMessage.USER32(?), ref: 0040555E
                                  • DispatchMessageA.USER32(?), ref: 00405569
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00472F60), ref: 00405621
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 2956720200-749203953
                                  • Opcode ID: b0a38b04df292089a396e9fbacd08f66c2174c0dacb808de78d23ba74886d16b
                                  • Instruction ID: ded252b4ff533e87208d36ac19c2d613ad87dfbb1ef060abaf95112ea2b93138
                                  • Opcode Fuzzy Hash: b0a38b04df292089a396e9fbacd08f66c2174c0dacb808de78d23ba74886d16b
                                  • Instruction Fuzzy Hash: 7B419271A043016BCA04FB75DC5A86F77A9EBC5714F40093EFA06A31E5DF398905CB9A
                                  Function 00406A20 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00470B14,00000000, 2GBm@,00003000,00000004,00000000,00000001), ref: 00406A51
                                  • GetCurrentProcess.KERNEL32(00470B14,00000000,00008000,?,00000000,00000001,00000000,00406CCA,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00406B12
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess
                                  • String ID: 2GBm@$PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                  • API String ID: 2050909247-2552087879
                                  • Opcode ID: 73c293382bdeff948eb64d5676536ed9b638f881f9f110030419796dfdf152da
                                  • Instruction ID: acb57f4be5314c8fdc403cfcc3c6874ba858f2dc6f38655895ae1e2efeca9399
                                  • Opcode Fuzzy Hash: 73c293382bdeff948eb64d5676536ed9b638f881f9f110030419796dfdf152da
                                  • Instruction Fuzzy Hash: EC31D8B2642300EBC710FFA5DC45F1677B8AB45349F11443AF506A6191DBB8E954CB2D
                                  Function 00415881 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 00415882
                                  • EmptyClipboard.USER32 ref: 00415890
                                  • CloseClipboard.USER32 ref: 00415896
                                  • OpenClipboard.USER32 ref: 0041589D
                                  • GetClipboardData.USER32(0000000D), ref: 004158AD
                                  • GlobalLock.KERNEL32(00000000), ref: 004158B6
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004158BF
                                  • CloseClipboard.USER32 ref: 004158C5
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                  • String ID: 4G
                                  • API String ID: 2172192267-3080958808
                                  • Opcode ID: d6cd4aa08ee9a5f734652ea36cabc867b72f54d111c843005292d3a7be309068
                                  • Instruction ID: 4d86aa06e49f03239fcc2a4fb0273d51e2f014b5d08f715770ad07ab5d505bde
                                  • Opcode Fuzzy Hash: d6cd4aa08ee9a5f734652ea36cabc867b72f54d111c843005292d3a7be309068
                                  • Instruction Fuzzy Hash: 9D0121312083009BC314BF75EC596AE77A5BF90352F40493EFD06922A3DF38C946DA9A
                                  Function 00419668 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00418FE1,00000000), ref: 00419677
                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00418FE1,00000000), ref: 0041968E
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 0041969B
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00418FE1,00000000), ref: 004196AA
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 004196BB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 004196BE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: e748e19b29d4b9ffd7e7d4d53b6498a61cabfbe98eeb668c5bc188a08abd05ca
                                  • Instruction ID: 3276af7575f15d8841acc4b0191f81aff6206dc885fe3b462974ed1c719105d3
                                  • Opcode Fuzzy Hash: e748e19b29d4b9ffd7e7d4d53b6498a61cabfbe98eeb668c5bc188a08abd05ca
                                  • Instruction Fuzzy Hash: 0B11E5319042187FD710AF64ECC9CFF3BACDB52BA6B000036F915921D1DB688D469AF9
                                  Function 004469A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 004469B5
                                    • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                                    • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                                  • _free.LIBCMT ref: 004469C1
                                  • _free.LIBCMT ref: 004469CC
                                  • _free.LIBCMT ref: 004469D7
                                  • _free.LIBCMT ref: 004469E2
                                  • _free.LIBCMT ref: 004469ED
                                  • _free.LIBCMT ref: 004469F8
                                  • _free.LIBCMT ref: 00446A03
                                  • _free.LIBCMT ref: 00446A0E
                                  • _free.LIBCMT ref: 00446A1C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: a77394449d3610cf2611ec2a31762a356df4dfaed9a22a67b89f0f03ee6ab5ce
                                  • Instruction ID: 446d01ee53aad5418ccd4e85611433309046038f6e50f54d807d40262714f670
                                  • Opcode Fuzzy Hash: a77394449d3610cf2611ec2a31762a356df4dfaed9a22a67b89f0f03ee6ab5ce
                                  • Instruction Fuzzy Hash: F511B9B9100509BFEF01EF56D842CDD3B69FF04758B1140AAF9488F222D676DE509B85
                                  Function 00418B0F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00418B14
                                  • GdiplusStartup.GDIPLUS(00470DA4,?,00000000), ref: 00418B46
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 00418BD2
                                  • Sleep.KERNEL32(000003E8), ref: 00418C58
                                  • GetLocalTime.KERNEL32(?), ref: 00418C60
                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00418D4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 489098229-3790400642
                                  • Opcode ID: 02595d30a7d22be6b6271e73e74ee54e509f4846c89ae7cbd49f8f8b12a0c0fc
                                  • Instruction ID: 3ed6f2237b04738f373db28fc4f4b477a217fcc6b97d40d34bd9c141d7353832
                                  • Opcode Fuzzy Hash: 02595d30a7d22be6b6271e73e74ee54e509f4846c89ae7cbd49f8f8b12a0c0fc
                                  • Instruction Fuzzy Hash: 62515E70A002149BCB14BBA5D8969FE7BA9AF54308F00007FF905A72D2EE3C5E859799
                                  Function 00454805 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004558FF), ref: 00454828
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DecodePointer
                                  • String ID: acos$asin$exp$log$log10$pow$sqrt
                                  • API String ID: 3527080286-3064271455
                                  • Opcode ID: 0e018571e0e3bee39f27182ae3374471161ca0f080fa7e6920fbb972b2695178
                                  • Instruction ID: 1e4b404f929ba93ddebd2aa3e63fb042eaa484edc2c2b789af0694e21190d044
                                  • Opcode Fuzzy Hash: 0e018571e0e3bee39f27182ae3374471161ca0f080fa7e6920fbb972b2695178
                                  • Instruction Fuzzy Hash: F2519474900509DBCB04DF69E5481AEBBB4FB8930AF504197DC44AF256C7398EADCB1D
                                  Function 00416495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004164F5
                                    • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                                  • Sleep.KERNEL32(00000064), ref: 00416521
                                  • DeleteFileW.KERNEL32(00000000), ref: 00416555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1462127192-2001430897
                                  • Opcode ID: 6fccbb4afb3ed092171e130cde74db2f4f56aad7ebf0dd89f27b905ecee64e16
                                  • Instruction ID: c83c678f58a6655289b5cf6a6ce0edad258ffa977a2a4ba52374f317f639f8dc
                                  • Opcode Fuzzy Hash: 6fccbb4afb3ed092171e130cde74db2f4f56aad7ebf0dd89f27b905ecee64e16
                                  • Instruction Fuzzy Hash: F23150719401095ACB04FBA1DC96EEE7779AF50309F40017FF506731D2EE78598ACA9D
                                  Function 00401CEB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strftime.LIBCMT ref: 00401D30
                                    • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                                  • waveInUnprepareHeader.WINMM(00470A88,00000020,00000000,?), ref: 00401DE2
                                  • waveInPrepareHeader.WINMM(00470A88,00000020), ref: 00401E20
                                  • waveInAddBuffer.WINMM(00470A88,00000020), ref: 00401E2F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                  • String ID: %Y-%m-%d %H.%M$.wav$@-G$X-G
                                  • API String ID: 3809562944-1740755071
                                  • Opcode ID: 855a651c32db40f5dbd11d4d317e30b6a3e5a456070555d527599baa6e76e929
                                  • Instruction ID: 6e40445bcf9654caa432548e7993fb83a4077dca951e3b59059cc53d3c4022e6
                                  • Opcode Fuzzy Hash: 855a651c32db40f5dbd11d4d317e30b6a3e5a456070555d527599baa6e76e929
                                  • Instruction Fuzzy Hash: 13317E315053019BC314FB66DC46A9E77E8EB94304F00893EF549A21F2EF789A49CB9E
                                  Function 004103A4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004103B1
                                  • int.LIBCPMT ref: 004103C4
                                    • Part of subcall function 0040D5C5: std::_Lockit::_Lockit.LIBCPMT ref: 0040D5D6
                                    • Part of subcall function 0040D5C5: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D5F0
                                  • std::_Facet_Register.LIBCPMT ref: 00410404
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0041040D
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041042B
                                  • __Init_thread_footer.LIBCMT ref: 0041046C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                  • String ID: hJG$lJG
                                  • API String ID: 3815856325-3986032958
                                  • Opcode ID: 8c1961d029c3235857cc140f2b48bc3705e6d8bfb798862c9134a30de192d745
                                  • Instruction ID: 6c6f380f6bf393aa298e891036efe52b613f3523a9b97c737d9d060c2d8c6b16
                                  • Opcode Fuzzy Hash: 8c1961d029c3235857cc140f2b48bc3705e6d8bfb798862c9134a30de192d745
                                  • Instruction Fuzzy Hash: 232108329402149BC710EBA9C9819EE73A89F84324F20466FF915A72D1DF7CAEC1C79D
                                  Function 0041BD68 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041BD81
                                    • Part of subcall function 0041BE1A: RegisterClassExA.USER32(00000030), ref: 0041BE66
                                    • Part of subcall function 0041BE1A: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041BE81
                                    • Part of subcall function 0041BE1A: GetLastError.KERNEL32 ref: 0041BE8B
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041BDB8
                                  • lstrcpynA.KERNEL32(00472B38,Remcos,00000080), ref: 0041BDD2
                                  • Shell_NotifyIconA.SHELL32(00000000,00472B20), ref: 0041BDE8
                                  • TranslateMessage.USER32(?), ref: 0041BDF4
                                  • DispatchMessageA.USER32(?), ref: 0041BDFE
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041BE0B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID: Remcos
                                  • API String ID: 1970332568-165870891
                                  • Opcode ID: 2d143759cf1fb37759ec7f404772a1ad4e1485a2e1ecf97a8841056aeb74ba0a
                                  • Instruction ID: 82a48a2e9b81ede311839844b2886800dd1b811866fb10484f52e0710d5afa0d
                                  • Opcode Fuzzy Hash: 2d143759cf1fb37759ec7f404772a1ad4e1485a2e1ecf97a8841056aeb74ba0a
                                  • Instruction Fuzzy Hash: BB013C71404304ABD7109FA1EE08EDB7BBCEB45715F00407AFA0492161D7B8A085CB6C
                                  Function 0044B600 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56c92366c9c142871bd2cfac74ae2ca5b0ffb3cedc8e660afd08c35565e41f2e
                                  • Instruction ID: bf7309e27d7813377405dfc29e16a9701e648260f6ca06a135f05bfcd2001108
                                  • Opcode Fuzzy Hash: 56c92366c9c142871bd2cfac74ae2ca5b0ffb3cedc8e660afd08c35565e41f2e
                                  • Instruction Fuzzy Hash: D2C108B0D04249AFEF11DFA9C841BAE7BB4EF09304F14409AE514A7392C778D941CBA9
                                  Function 00452603 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004528DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 004526AF
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00452732
                                  • __alloca_probe_16.LIBCMT ref: 0045276A
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004528DC,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 004527C5
                                  • __alloca_probe_16.LIBCMT ref: 00452814
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 004527DC
                                    • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00452858
                                  • __freea.LIBCMT ref: 00452883
                                  • __freea.LIBCMT ref: 0045288F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                  • String ID:
                                  • API String ID: 201697637-0
                                  • Opcode ID: 768b996481d749ff10557c4c7c1c0a01c42c9ac738d115a97dc7b4c5a44c3e6d
                                  • Instruction ID: ccc14fa8acdac63bc9519f5215d42201de6c5a87ae6f625bde0ffe2347fa224d
                                  • Opcode Fuzzy Hash: 768b996481d749ff10557c4c7c1c0a01c42c9ac738d115a97dc7b4c5a44c3e6d
                                  • Instruction Fuzzy Hash: 07911871E002169BDF249EA5C981EEF7BB59F4A311F18062BEC00E7242D779CC498768
                                  Function 00443A7A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                    • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                                    • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                    • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                                  • _memcmp.LIBVCRUNTIME ref: 00443D24
                                  • _free.LIBCMT ref: 00443D95
                                  • _free.LIBCMT ref: 00443DAE
                                  • _free.LIBCMT ref: 00443DE0
                                  • _free.LIBCMT ref: 00443DE9
                                  • _free.LIBCMT ref: 00443DF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort_memcmp
                                  • String ID: C
                                  • API String ID: 1679612858-1037565863
                                  • Opcode ID: 1b1c48012eeba7c920ea9576d40ce91f528395a5288f823ec30480752eb40b77
                                  • Instruction ID: 0980accce80153226f5651e8385caabd2fc42b640f1cc77c082d88c635091a5b
                                  • Opcode Fuzzy Hash: 1b1c48012eeba7c920ea9576d40ce91f528395a5288f823ec30480752eb40b77
                                  • Instruction Fuzzy Hash: 71B16B75A016199FEB24DF18C884BAEB7B4FF08705F5085AEE849A7351E734AE90CF44
                                  Function 00413C51 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: tcp$udp
                                  • API String ID: 0-3725065008
                                  • Opcode ID: 989d942223f8045c26bfd392dcc121cd2c507f3a9003dba06f7d9cf9a685d5a6
                                  • Instruction ID: 254d435c4adeb88c6bd87cc200726294b993cf902dfc57313b1be41f1fc3726a
                                  • Opcode Fuzzy Hash: 989d942223f8045c26bfd392dcc121cd2c507f3a9003dba06f7d9cf9a685d5a6
                                  • Instruction Fuzzy Hash: A77188706083028FDB24CE15D4846ABBBE4EF94746F14493FF88597360E779CE858B9A
                                  Function 00410A38 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Eventinet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                  • API String ID: 3578746661-168337528
                                  • Opcode ID: 4c88a89556d7277a2639c9f4f4499473924fc5de8090db1450a86c4d47404f2b
                                  • Instruction ID: e75f285b9767d1c550f565d519be053d97adf82a0a3bf380a10654d69fa8857e
                                  • Opcode Fuzzy Hash: 4c88a89556d7277a2639c9f4f4499473924fc5de8090db1450a86c4d47404f2b
                                  • Instruction Fuzzy Hash: A051D631A043009BC714BB79D81A66E36A5AB80314F40453FF90AA76E5EF7C9985CBDF
                                  Function 00416BCD Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00416E1A: __EH_prolog.LIBCMT ref: 00416E1F
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00464074), ref: 00416CCA
                                  • CloseHandle.KERNEL32(00000000), ref: 00416CD3
                                  • DeleteFileA.KERNEL32(00000000), ref: 00416CE2
                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416C96
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                  • String ID: <$@$Temp
                                  • API String ID: 1704390241-1032778388
                                  • Opcode ID: 44790ab4aaf770b002a80646d7744e54128f30277d72e78bf0742a93fa7efc13
                                  • Instruction ID: 69e270f03dbcf525bbd0e705c12af2ecc391514570d21efb9077f5f7aa5c102b
                                  • Opcode Fuzzy Hash: 44790ab4aaf770b002a80646d7744e54128f30277d72e78bf0742a93fa7efc13
                                  • Instruction Fuzzy Hash: A54196319002099BDB14FBA1DC56AED7738AF50318F50427EF505760D2EF785A86CB99
                                  Function 00406FD7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00472EC8,00463F74,?,00000000,00407670,00000000), ref: 00407039
                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407670,00000000,?,?,0000000A,00000000), ref: 00407081
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00407670,00000000,?,?,0000000A,00000000), ref: 004070C1
                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 004070DE
                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407109
                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407119
                                    • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,?,00472EE0,00404C29,00000000,?,?,?,00472EE0,?), ref: 00404B85
                                    • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                  • String ID: .part
                                  • API String ID: 1303771098-3499674018
                                  • Opcode ID: 10c4e6284854959ab80f0d6881149f7a25d3731528dd7d43ec1f48645700cc24
                                  • Instruction ID: e251a7d4a1aabd80805b5d7196bb96980f3888c3ff40e4c14fed717d8046ce17
                                  • Opcode Fuzzy Hash: 10c4e6284854959ab80f0d6881149f7a25d3731528dd7d43ec1f48645700cc24
                                  • Instruction Fuzzy Hash: FE318571508301AFC210EB61DC859AFB7ECEB94355F40493FF945A21D2DB78EA488B9A
                                  Function 0040B463 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288E: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                                    • Part of subcall function 0041288E: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                                    • Part of subcall function 0041288E: RegCloseKey.KERNELBASE(?), ref: 004128DA
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B4E5
                                  • PathFileExistsA.SHLWAPI(?), ref: 0040B4F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$P9G$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 1133728706-1387963244
                                  • Opcode ID: 9b793db37a923494a0d220d9535e1ebf344d0f4b6fa34768dd53b2feafdf936b
                                  • Instruction ID: ea656425d40d7a45f5e056d43768dd8003def9e5f0b6d0ab8c53a167709f9c7c
                                  • Opcode Fuzzy Hash: 9b793db37a923494a0d220d9535e1ebf344d0f4b6fa34768dd53b2feafdf936b
                                  • Instruction Fuzzy Hash: DB214F31A402096ACB04F7E1DD96EEE77689E51708F40017FB901772C2EB7C9A45C6DE
                                  Function 00401BC9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                                  • waveInOpen.WINMM(00470AC0,000000FF,00470AA8,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                                  • waveInPrepareHeader.WINMM(00470A88,00000020), ref: 00401CC3
                                  • waveInAddBuffer.WINMM(00470A88,00000020), ref: 00401CD2
                                  • waveInStart.WINMM ref: 00401CDE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                  • String ID: @-G$X-G
                                  • API String ID: 1356121797-233566475
                                  • Opcode ID: b9ba73a9f6c6cdf9c182fe07cfeb2488a23d45f14fb65cf0744bdb7d097694af
                                  • Instruction ID: d9f75f8a904554b1551795dc4e374556cb90ebe8a53537c147534bfad38ff794
                                  • Opcode Fuzzy Hash: b9ba73a9f6c6cdf9c182fe07cfeb2488a23d45f14fb65cf0744bdb7d097694af
                                  • Instruction Fuzzy Hash: 5C213771616300DBC754AFAAFC09A6A7BA9EBB5315F00843EB10DD76F1DBB844818B5C
                                  Function 004494C9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042C60C,?,?,?,0044971A,00000001,00000001,?), ref: 00449523
                                  • __alloca_probe_16.LIBCMT ref: 0044955B
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042C60C,?,?,?,0044971A,00000001,00000001,?), ref: 004495A9
                                  • __alloca_probe_16.LIBCMT ref: 00449640
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004496A3
                                  • __freea.LIBCMT ref: 004496B0
                                    • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  • __freea.LIBCMT ref: 004496B9
                                  • __freea.LIBCMT ref: 004496DE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                  • String ID:
                                  • API String ID: 3864826663-0
                                  • Opcode ID: c26f59f17cb63017309268d6e2a54a5d3af622c0da74579a986ce8ca93dbc3e9
                                  • Instruction ID: 16b5e23e06f44e8f5b9cde4bfd472c7b38c402739d6472c7ebbca8c933d1a93d
                                  • Opcode Fuzzy Hash: c26f59f17cb63017309268d6e2a54a5d3af622c0da74579a986ce8ca93dbc3e9
                                  • Instruction Fuzzy Hash: C7510572A00216AFFB259F65CC81EBF77A9EB44750F16462EFC05D7240EB38DC50A698
                                  Function 004184EE Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00418527
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418548
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418568
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 0041857C
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418592
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004185AF
                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004185CA
                                  • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 004185E6
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend
                                  • String ID:
                                  • API String ID: 3431551938-0
                                  • Opcode ID: 7d215fb67b09a99a4312223830ed08cf21abfe0e7ede0b47ac2bedd79d27f7c4
                                  • Instruction ID: 0947e47258becacd92e061a94fe1ad349a6366cffbcd8e1d8fee47d4855f6fd4
                                  • Opcode Fuzzy Hash: 7d215fb67b09a99a4312223830ed08cf21abfe0e7ede0b47ac2bedd79d27f7c4
                                  • Instruction Fuzzy Hash: 9C318131558309BEE311CF51DD41BEBBBDCEF98B54F00080FF6808A191D6A695C98BA7
                                  Function 00445DF1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16_free
                                  • String ID: a/p$am/pm$hcD
                                  • API String ID: 2936374016-190199888
                                  • Opcode ID: 5c7e93bfea36d6bfccbfe78ada7fac18a8ac017cf94aac838d0c5b4a5acd0a7e
                                  • Instruction ID: 32e67ee006756031a0b78f425dd56af27fcec1da6a44ec8361004faafc6abf4c
                                  • Opcode Fuzzy Hash: 5c7e93bfea36d6bfccbfe78ada7fac18a8ac017cf94aac838d0c5b4a5acd0a7e
                                  • Instruction Fuzzy Hash: A9D1D231900205ABFB249FA8C955ABBB7B0FF06300F25419BE941AB342D77D9D81CB5B
                                  Function 0044F2A5 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: bdae3a8ff5b80d57b785f2781f8bb375039c999b1d8b81c3e14c9f7f4d8bf86a
                                  • Instruction ID: 121fa3ad2d8a90f2dd1ed919a7657a0be01bb40abeb4b2edb7d8cd7f10ddde60
                                  • Opcode Fuzzy Hash: bdae3a8ff5b80d57b785f2781f8bb375039c999b1d8b81c3e14c9f7f4d8bf86a
                                  • Instruction Fuzzy Hash: D8610075900205AFEB20CF69C842B9FBBF4EF15724F14407BE844EB242EB749D468B98
                                  Function 00412D3D Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00412DA4
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00412DD3
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00412E73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Enum$InfoQueryValue
                                  • String ID: 4G$84G$[regsplt]
                                  • API String ID: 3554306468-2898483682
                                  • Opcode ID: 5e53207f1c758ac982cb165bd3fd1bea72a9c3d269eac39655c94d43fd0b626d
                                  • Instruction ID: cf1d04cbe3be26fdb60a522ae5fe91f3eacc00445e23186f7e28dbfa0a80019f
                                  • Opcode Fuzzy Hash: 5e53207f1c758ac982cb165bd3fd1bea72a9c3d269eac39655c94d43fd0b626d
                                  • Instruction Fuzzy Hash: FA512B71900219AADB10EB91DD85EEFB7BCAF04304F50017AE505F2191EF74AB49CBA9
                                  Function 0045551A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: EDE$EDE
                                  • API String ID: 269201875-1143427775
                                  • Opcode ID: 6c78bc0ecd021690797f9600b798c5c744d82ef1b2dec448d1b2b23438ea67aa
                                  • Instruction ID: 88694d13a6d820189563449504a694bd1f50df3e673083fec4fd5d227810db4a
                                  • Opcode Fuzzy Hash: 6c78bc0ecd021690797f9600b798c5c744d82ef1b2dec448d1b2b23438ea67aa
                                  • Instruction Fuzzy Hash: 83415B31A00944BBEB206BBA8C52A7F3BA5DF45335F24051FFC18C22D3E67C8809566E
                                  Function 00449C3C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A3B1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00449C7E
                                  • __fassign.LIBCMT ref: 00449CF9
                                  • __fassign.LIBCMT ref: 00449D14
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00449D3A
                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A3B1,00000000,?,?,?,?,?,?,?,?,?,0044A3B1,?), ref: 00449D59
                                  • WriteFile.KERNEL32(?,?,00000001,0044A3B1,00000000,?,?,?,?,?,?,?,?,?,0044A3B1,?), ref: 00449D92
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: 375b3492dfa092f37ad602e657ac1f80d9a3d9ae5f6776982733ad928ad8e07f
                                  • Instruction ID: 2d42c393ae315c603a8a69066ade60cad850b82c9b10e16282d480ace16cedcb
                                  • Opcode Fuzzy Hash: 375b3492dfa092f37ad602e657ac1f80d9a3d9ae5f6776982733ad928ad8e07f
                                  • Instruction Fuzzy Hash: 1D5181B1E00249AFEB10CFA8D885AEEBBF4EF09300F14416BE955E7291D6749D41CB69
                                  Function 00412FF5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 0041302E
                                    • Part of subcall function 00412D3D: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00412DA4
                                    • Part of subcall function 00412D3D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00412DD3
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  • RegCloseKey.ADVAPI32(00000000,00464074,00464074,0046A8F0,0046A8F0,00000071), ref: 0041319C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumInfoOpenQuerysend
                                  • String ID: 4G$84G$P4G$P4G
                                  • API String ID: 3114080316-1145574035
                                  • Opcode ID: adf04e29183ee4ef3692bda11a53b2bc689102b85cca0ea5a2c112af7dd1a774
                                  • Instruction ID: fd6b18073abc04bee90befd91301638a83fdde0089edac9dbf0f47121c2ff828
                                  • Opcode Fuzzy Hash: adf04e29183ee4ef3692bda11a53b2bc689102b85cca0ea5a2c112af7dd1a774
                                  • Instruction Fuzzy Hash: 6841F6316442005BC318FB65D992AEFB3989FD0348F40893FF149631D2EF7C5A0A969E
                                  Function 0041A1E5 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412903: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,00473298), ref: 00412925
                                    • Part of subcall function 00412903: RegQueryValueExW.ADVAPI32(?,0@,00000000,00000000,?,00000400), ref: 00412944
                                    • Part of subcall function 00412903: RegCloseKey.ADVAPI32(?), ref: 0041294D
                                    • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                                  • _wcslen.LIBCMT ref: 0041A2BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                  • String ID: .exe$T@$http\shell\open\command$program files (x86)\$program files\
                                  • API String ID: 37874593-902212947
                                  • Opcode ID: c09dd6cc7a4e4de16c6ce298c0561fad34c0ce7a974c4b4a81f975ea242df26b
                                  • Instruction ID: 21aed5fb5d72de47c87afb81655524ea1d35e8d6521c3cb27bca8a170edf9ba1
                                  • Opcode Fuzzy Hash: c09dd6cc7a4e4de16c6ce298c0561fad34c0ce7a974c4b4a81f975ea242df26b
                                  • Instruction Fuzzy Hash: 0E218871B001042BDB04BAB69C96EEE32AD9B44318F14057FF806B72C2ED7D9D5947AD
                                  Function 00455453 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1937e19eed58fd6eaa34ed345285247f5b202f0c51715d77c7ab66ce3919d979
                                  • Instruction ID: 243b992db74428a8b8f40e07f5805634c7787d5acd7d10a8c2111fadf3c51f9b
                                  • Opcode Fuzzy Hash: 1937e19eed58fd6eaa34ed345285247f5b202f0c51715d77c7ab66ce3919d979
                                  • Instruction Fuzzy Hash: A6112731505605BBDB102F779C0597B3BA9EF86336B11066AFC11C7252EA38C8459269
                                  Function 00419EDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419F02
                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00419F18
                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00419F31
                                  • InternetCloseHandle.WININET(00000000), ref: 00419F77
                                  • InternetCloseHandle.WININET(00000000), ref: 00419F7A
                                  Strings
                                  • http://geoplugin.net/json.gp, xrefs: 00419F12
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleOpen$FileRead
                                  • String ID: http://geoplugin.net/json.gp
                                  • API String ID: 3121278467-91888290
                                  • Opcode ID: b70420d5a93b7a535b9f0780db9f0257e69646b3b27e663e20444d8a643ca501
                                  • Instruction ID: a70ecc99465d7097496f885b09ad11ab3779813296453655fb12c4e4d745da0f
                                  • Opcode Fuzzy Hash: b70420d5a93b7a535b9f0780db9f0257e69646b3b27e663e20444d8a643ca501
                                  • Instruction Fuzzy Hash: FD11C8311093127BD224AB169C49DBF7F9CEF86765F00043EF945E2291DB68DC45C6BA
                                  Function 0044F77A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0044F4C1: _free.LIBCMT ref: 0044F4EA
                                  • _free.LIBCMT ref: 0044F7C8
                                    • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                                    • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                                  • _free.LIBCMT ref: 0044F7D3
                                  • _free.LIBCMT ref: 0044F7DE
                                  • _free.LIBCMT ref: 0044F832
                                  • _free.LIBCMT ref: 0044F83D
                                  • _free.LIBCMT ref: 0044F848
                                  • _free.LIBCMT ref: 0044F853
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction ID: e20f7d93c4c1b7366c41c1c89a5bca39aa981d096f5eec7d46ef9b7b16274198
                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction Fuzzy Hash: C7117F71540B54AAEA30BBB2CC47FCF779C9F50708F81492FB39DA6052EA2CB5188794
                                  Function 004106A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004106B3
                                  • int.LIBCPMT ref: 004106C6
                                    • Part of subcall function 0040D5C5: std::_Lockit::_Lockit.LIBCPMT ref: 0040D5D6
                                    • Part of subcall function 0040D5C5: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D5F0
                                  • std::_Facet_Register.LIBCPMT ref: 00410706
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0041070F
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041072D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: hLG
                                  • API String ID: 2536120697-233936816
                                  • Opcode ID: 99b5b19e431d5557e67861a712304b6b752d2c0181be359e19d33e13748e27ed
                                  • Instruction ID: 7c3c20e224a2a00f7f7be6237b00d9c90688f6040d3be4d1753458cdbc359952
                                  • Opcode Fuzzy Hash: 99b5b19e431d5557e67861a712304b6b752d2c0181be359e19d33e13748e27ed
                                  • Instruction Fuzzy Hash: 96110A32900218ABCB11FBE5C8418DEBB689F84724F11056FF815672D1DF78AE85CBD8
                                  Function 00438C57 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,00438C4E,00437B8E), ref: 00438C65
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438C73
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00438C8C
                                  • SetLastError.KERNEL32(00000000,?,00438C4E,00437B8E), ref: 00438CDE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 06d2b6d0d256db09040b2198e32479e012de82d5718a97fd6b90c10f44b40caa
                                  • Instruction ID: 21f9491cf859890c7eadaa784ea30681ac294a37727d4d336c6cdb78a7d4fc19
                                  • Opcode Fuzzy Hash: 06d2b6d0d256db09040b2198e32479e012de82d5718a97fd6b90c10f44b40caa
                                  • Instruction Fuzzy Hash: 7001F73220E7126FE6242B797C86A2B6744DB09779F20323FF624456E2FF594C09726D
                                  Function 00406C24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00406C44
                                    • Part of subcall function 00406B71: _wcslen.LIBCMT ref: 00406B95
                                    • Part of subcall function 00406B71: CoGetObject.OLE32(?,00000024,004644E0,00000000), ref: 00406BF6
                                  • CoUninitialize.OLE32 ref: 00406C9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitializeObjectUninitialize_wcslen
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                  • API String ID: 3851391207-1839356972
                                  • Opcode ID: 21c6875a4e00bf3e9cd9c84db11fc7adaedb877f72474f7b3962a236dd4ca43a
                                  • Instruction ID: 4a2b0e9ada28304c15679dea14e35c8bbb0126878905a56f40071f2f2dcd1631
                                  • Opcode Fuzzy Hash: 21c6875a4e00bf3e9cd9c84db11fc7adaedb877f72474f7b3962a236dd4ca43a
                                  • Instruction Fuzzy Hash: 5D01C0723093116FF7246B52EC0AF3B7798DB8176AF16013FF946A61C1EAB9EC004169
                                  Function 0040B01B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B057
                                  • GetLastError.KERNEL32 ref: 0040B061
                                  Strings
                                  • UserProfile, xrefs: 0040B027
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B022
                                  • [Chrome Cookies not found], xrefs: 0040B07B
                                  • [Chrome Cookies found, cleared!], xrefs: 0040B087
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 2018770650-304995407
                                  • Opcode ID: 674fc3c9b04eb3bbb07f4ea1947c9d31b87e886c7370853f700982ba43f0b19b
                                  • Instruction ID: f9fbcf48e46e0b37629b78e1018d25b522eb7a253e11c313dbfba25adce049df
                                  • Opcode Fuzzy Hash: 674fc3c9b04eb3bbb07f4ea1947c9d31b87e886c7370853f700982ba43f0b19b
                                  • Instruction Fuzzy Hash: FE01F271AC410666CA0476B5DD5BCBFBB28E951308B40027FF842721E2FF7A490586CF
                                  Function 0041B6A6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocConsole.KERNEL32(00473280), ref: 0041B6AF
                                  • ShowWindow.USER32(00000000,00000000), ref: 0041B6C8
                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041B6ED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AllocOutputShowWindow
                                  • String ID: Remcos v$4.6.0 Pro$CONOUT$
                                  • API String ID: 2425139147-579393372
                                  • Opcode ID: 9fa98f7035d97c5e21b7ac84947d6802447a46aa1252a65f1097801335382c61
                                  • Instruction ID: db7634a49a328e0f99b2c2d62409033857a76ccc0adaf027dd828388b15aa78f
                                  • Opcode Fuzzy Hash: 9fa98f7035d97c5e21b7ac84947d6802447a46aa1252a65f1097801335382c61
                                  • Instruction Fuzzy Hash: B1012171A903086BE600FBB19D4BF9D33ACAB14705F501427B604A7192EABD9924CA6E
                                  Function 004068D4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 2G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$h2G
                                  • API String ID: 0-3224351580
                                  • Opcode ID: 18dc0d05516684f0e5c4549d7765abd71e08f7c82f7c2b79b8778d135e40d2fd
                                  • Instruction ID: 7dfc231a9bb00e149e5c0c7810f67d20ab7eac2a910a21db205252ecd238aa05
                                  • Opcode Fuzzy Hash: 18dc0d05516684f0e5c4549d7765abd71e08f7c82f7c2b79b8778d135e40d2fd
                                  • Instruction Fuzzy Hash: AEF0F670706311EBDB102B70AD0926A2616EB40306F01447BF84BEA2E1EB7D8852965E
                                  Function 004393DC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  • __allrem.LIBCMT ref: 00439569
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439585
                                  • __allrem.LIBCMT ref: 0043959C
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004395BA
                                  • __allrem.LIBCMT ref: 004395D1
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004395EF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 1dddf8e515139d97c6967afe93bbf2e1bd56be1d0b4091d9d2e71436e447a3a3
                                  • Instruction ID: e4b6510059702768e302587ffc0a9b2f327eb02b25cf372d85322d71f2147457
                                  • Opcode Fuzzy Hash: 1dddf8e515139d97c6967afe93bbf2e1bd56be1d0b4091d9d2e71436e447a3a3
                                  • Instruction Fuzzy Hash: BE815B72600B02ABE7249F79CC42B6B73A9AF58328F24552FF411D7381E7B8DD418B58
                                  Function 00404351 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402884: std::_Xinvalid_argument.LIBCPMT ref: 00402889
                                  • Sleep.KERNEL32(00000000,0040C76B), ref: 004044A4
                                    • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologSleepXinvalid_argumentstd::_
                                  • String ID: 0.G$CloseCamera$FreeFrame$GetFrame$OpenCamera
                                  • API String ID: 834325642-106669708
                                  • Opcode ID: 214fb1b81069e54c38189223d32c4b0a5939f740e9d46bdbbae231fc0bdcc3a6
                                  • Instruction ID: ecedd063232be1ac5acd44a52b85944b2f12cafd62aea4fc44177e9967f66efd
                                  • Opcode Fuzzy Hash: 214fb1b81069e54c38189223d32c4b0a5939f740e9d46bdbbae231fc0bdcc3a6
                                  • Instruction Fuzzy Hash: 6E51E571A04300ABC614FB769D5AA6E37959BD0714F00453FFA0A772E2DF7C8A45839E
                                  Function 004441FA Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: 1e01b658f374c474e9f8643c5383819788eb159efaecc8c22926f80f8221aa00
                                  • Instruction ID: 8fe28a21c22037a225050a123006aa5e814484bf9f3f78946cda57ab9d9a3774
                                  • Opcode Fuzzy Hash: 1e01b658f374c474e9f8643c5383819788eb159efaecc8c22926f80f8221aa00
                                  • Instruction Fuzzy Hash: 2451EE72900505A7FF249F99CC42FAF77A8AF89774F20425FF81496292DB3DD900866C
                                  Function 0040B586 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 103sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: [Cleared browsers logins and cookies.]$82G$Cleared browsers logins and cookies.$4G
                                  • API String ID: 3472027048-2766125209
                                  • Opcode ID: d4f41cb10cfcedb366cc606608264c9e35b120e8a1e6284df17485382bc05c1e
                                  • Instruction ID: b4021fb9e4edc30202d34e01d01bd8d1c2d2826e69326faececa9b35d7d9af25
                                  • Opcode Fuzzy Hash: d4f41cb10cfcedb366cc606608264c9e35b120e8a1e6284df17485382bc05c1e
                                  • Instruction Fuzzy Hash: D831860474C3806DDA116B7558667AB6F928EA3758F0844FFB8C4273C3DA7B490993AF
                                  Function 004197D3 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418EE9,00000000), ref: 004197E3
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418EE9,00000000), ref: 004197F7
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 00419804
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418EE9,00000000), ref: 00419839
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 0041984B
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 0041984E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID:
                                  • API String ID: 493672254-0
                                  • Opcode ID: 89db2eeda4d7a14c159b1e2db7b08147fbbc75be0f1cf0d233a7f0901b401b0a
                                  • Instruction ID: a47b9f36788e1574db55dd564176aee803a97132f2343e107bd38cafad37238b
                                  • Opcode Fuzzy Hash: 89db2eeda4d7a14c159b1e2db7b08147fbbc75be0f1cf0d233a7f0901b401b0a
                                  • Instruction Fuzzy Hash: 280149311592147AD6146B34AC6EEBB3B9CDB03770F10033BF525921D2DA68CD45C1E9
                                  Function 00446A95 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                                  • _free.LIBCMT ref: 00446ACC
                                  • _free.LIBCMT ref: 00446AF4
                                  • SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                                  • SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                                  • _abort.LIBCMT ref: 00446B13
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 806b9488dbb5f67dc4a24e364a824df2f5f943de60d9707ff7ce2e9c29f9cb7b
                                  • Instruction ID: 6a8f3ccd0764d1e9e7d83ebdae3328841d1b307594cb58bb8d86c94d160514c2
                                  • Opcode Fuzzy Hash: 806b9488dbb5f67dc4a24e364a824df2f5f943de60d9707ff7ce2e9c29f9cb7b
                                  • Instruction Fuzzy Hash: 9FF0D675105B0166F612B325BC06E6B2A558BD3B69F22403BF904E22D2EF6DC806816E
                                  Function 00419601 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041917E,00000000), ref: 00419610
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041917E,00000000), ref: 00419624
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419631
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041917E,00000000), ref: 00419640
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419652
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419655
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 3a30e0bb68b7313dde3d1eb38cb2aae4614a93b98f4b7b5f478068b75b9f9c25
                                  • Instruction ID: a7ca8c43b745447570174616d627e1def875c64aa7390fdce4b26778a5b79433
                                  • Opcode Fuzzy Hash: 3a30e0bb68b7313dde3d1eb38cb2aae4614a93b98f4b7b5f478068b75b9f9c25
                                  • Instruction Fuzzy Hash: 4EF0C2315003186BD210AF65AC89DBF3BECDB45BA1F00007AFD09921D2DA28CD4685F9
                                  Function 0041976C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041907E,00000000), ref: 0041977B
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041907E,00000000), ref: 0041978F
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 0041979C
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041907E,00000000), ref: 004197AB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 004197BD
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 004197C0
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 873fe1e53a0f9db4992710bd9c362209fa13b6379bad2a2478faee38a7fac621
                                  • Instruction ID: a5790d775f0640958528a35b07e9f071147c503c7fab8b2ef1513a048adfe726
                                  • Opcode Fuzzy Hash: 873fe1e53a0f9db4992710bd9c362209fa13b6379bad2a2478faee38a7fac621
                                  • Instruction Fuzzy Hash: 62F0C271501218ABD210AF65EC89DBF3BECDF45BA5B00007AFE09921D2DA38CD4685E9
                                  Function 00419705 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004190FE,00000000), ref: 00419714
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004190FE,00000000), ref: 00419728
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419735
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,004190FE,00000000), ref: 00419744
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419756
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419759
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: b48ecf028ecbd650c8b2eb55cad6b0d4a503340391a173d7c056b828ac736a88
                                  • Instruction ID: 8fc70a690c960e854b45078eaab18319365206aebec4e159bed8ee303a354907
                                  • Opcode Fuzzy Hash: b48ecf028ecbd650c8b2eb55cad6b0d4a503340391a173d7c056b828ac736a88
                                  • Instruction Fuzzy Hash: 74F0C2715002186BD210AF65AC89DBF3BECDF45BA1F40007AFE09A61D2DB38CD4585E9
                                  Function 0040184A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040189E
                                  • ExitThread.KERNEL32 ref: 004018D6
                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00472EC8,00000000), ref: 004019E4
                                    • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                  • String ID: 4-G$t-G
                                  • API String ID: 1649129571-614185655
                                  • Opcode ID: c3ef4d8e932f6ba0e8d71802c96bd6ce33fa45b133edd9cd28e27d366f84e7f2
                                  • Instruction ID: 8428d7d5ac7c52924c145d6670cc87a3efc0660951a857fec254875670f51c37
                                  • Opcode Fuzzy Hash: c3ef4d8e932f6ba0e8d71802c96bd6ce33fa45b133edd9cd28e27d366f84e7f2
                                  • Instruction Fuzzy Hash: 3241A0316042008BC324FB65DD86EAE73A9ABD4314F40453FF54AA21F2DF789D46C65E
                                  Function 0040ACBE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                                  • __Init_thread_footer.LIBCMT ref: 0040AD0D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: [End of clipboard]$[Text copied to clipboard]$LLG$PLG
                                  • API String ID: 1881088180-1960277357
                                  • Opcode ID: cf07ec407d2798da32e2375eff4140983222a2ae5d3a139b961b770abdaa92d4
                                  • Instruction ID: 8d56320deb120d659c296c02e5f33f036aa5d094007c574b007f3df0111b0a83
                                  • Opcode Fuzzy Hash: cf07ec407d2798da32e2375eff4140983222a2ae5d3a139b961b770abdaa92d4
                                  • Instruction Fuzzy Hash: 8121A2319102054BCB14FBA6D9829EDB379AF84308F10007FE505731D2EF3C5E4A8A9D
                                  Function 0040A6DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                                  • wsprintfW.USER32 ref: 0040A769
                                    • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventLocalTimewsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 1497725170-248792730
                                  • Opcode ID: 323ee48dfd5e0fd24d82b9d69c33118647d5e6edd353c2012f141c2000137108
                                  • Instruction ID: 67f2dfcb9da7a84066df1aeb29efb07d6386f75bf98186ef1d39347a66652dd1
                                  • Opcode Fuzzy Hash: 323ee48dfd5e0fd24d82b9d69c33118647d5e6edd353c2012f141c2000137108
                                  • Instruction Fuzzy Hash: 44114272404118AACB18FB96EC968FF77B8EE48315B00012FF842661D1EF7C5A45D6AD
                                  Function 0041BE1A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 0041BE66
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041BE81
                                  • GetLastError.KERNEL32 ref: 0041BE8B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: 2c2acc564e7228da8453ef1ef4daccb200bb255fb4852b917a0f25144a291afc
                                  • Instruction ID: 5840f73649b50f116e6ab49c8ddc39afef87091f1adce936c33ae781c96a4941
                                  • Opcode Fuzzy Hash: 2c2acc564e7228da8453ef1ef4daccb200bb255fb4852b917a0f25144a291afc
                                  • Instruction Fuzzy Hash: 0A01E9B190031DABDB10DF95ECC49EFBBBCEB08355F40057AF914A6240E77599058BA5
                                  Function 00406DC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406E0F
                                  • CloseHandle.KERNEL32(?), ref: 00406E1E
                                  • CloseHandle.KERNEL32(?), ref: 00406E23
                                  Strings
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00406E05
                                  • C:\Windows\System32\cmd.exe, xrefs: 00406E0A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                  • API String ID: 2922976086-4183131282
                                  • Opcode ID: 0f52d4b74f975e3f2949df4035c160fbb6b8b2e0bf2a4fef78c5a914e70af107
                                  • Instruction ID: 771504d0c5622b635381120a699b2d9c6d8516bd8efb25c1479c62c52dadb0bd
                                  • Opcode Fuzzy Hash: 0f52d4b74f975e3f2949df4035c160fbb6b8b2e0bf2a4fef78c5a914e70af107
                                  • Instruction Fuzzy Hash: 1DF09676D0029C76CB20ABD7AC0EFDF7F3CEBC5B11F04016AB508A2041D6705010CAB5
                                  Function 00412AFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 00412B07
                                  • RegSetValueExW.ADVAPI32(?,f@,00000000,00000001,00000000,00000000,00473238,?,0040ED66,pth_unenc), ref: 00412B35
                                  • RegCloseKey.ADVAPI32(?,?,0040ED66,pth_unenc), ref: 00412B40
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: f@$pth_unenc
                                  • API String ID: 1818849710-47959321
                                  • Opcode ID: 387085b369d29f0c03a5ab25110b6f928490cb9c4dfcad1f38ab335bf5f97616
                                  • Instruction ID: 0c8d3bccce686eec099df141ad345258a3ef415a4a3ae97405fd51eab9751fc6
                                  • Opcode Fuzzy Hash: 387085b369d29f0c03a5ab25110b6f928490cb9c4dfcad1f38ab335bf5f97616
                                  • Instruction Fuzzy Hash: 1CF0C231444218BBCF009FA1ED86FEE37ACEB00754F00412AB805A61A1E6759E04DA94
                                  Function 00441C0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00441BBB,?,?,00441B5B,?), ref: 00441C2A
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00441C3D
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00441BBB,?,?,00441B5B,?), ref: 00441C60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: ea4ab4854586bb172daf74edb897d215f2c8ee4f05ba98cc7202b459c056c010
                                  • Instruction ID: 8f9b3e7d5fe4f03b554215b975d8d256f1185f74086fc6d013083e353006690b
                                  • Opcode Fuzzy Hash: ea4ab4854586bb172daf74edb897d215f2c8ee4f05ba98cc7202b459c056c010
                                  • Instruction Fuzzy Hash: 79F06830944318FBDB115F54EC49B9EBFB8EF04756F004175FC05A2261DB788E84CA98
                                  Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00472EE0,00404E5A,00000001,?,00000000,00472EE0,00404C88,00000000,?,?,?), ref: 00405100
                                  • SetEvent.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?), ref: 0040510C
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00472EE0,00404C88,00000000,?,?,?), ref: 00405117
                                  • CloseHandle.KERNEL32(?,?,00000000,00472EE0,00404C88,00000000,?,?,?), ref: 00405120
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                  • String ID: KeepAlive | Disabled
                                  • API String ID: 2993684571-305739064
                                  • Opcode ID: 8bf7d7c36241a0c87dc93d3b6432bcd9049b7c59da5baf488ab90d78c02d9b48
                                  • Instruction ID: 9fcb7412de1a371383c4be032709771db6bfe23be82c7c78edeb32f54ebeba58
                                  • Opcode Fuzzy Hash: 8bf7d7c36241a0c87dc93d3b6432bcd9049b7c59da5baf488ab90d78c02d9b48
                                  • Instruction Fuzzy Hash: E8F096719087107FDB103774AD0AA6F7E98AB16315F00057FF986516E2D5B888509B9A
                                  Function 0041991B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041994D
                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041995B
                                  • Sleep.KERNEL32(00002710), ref: 00419962
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041996B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                  • String ID: Alarm triggered
                                  • API String ID: 614609389-2816303416
                                  • Opcode ID: 0911ecfe7eac67f65cf052bf830e935bba44887b3fcadc1cc1477479af12f1ab
                                  • Instruction ID: 8069d90e893f75e5c908224cd3dcb2ae2e93304f9117e242fbfb21d481eb26c4
                                  • Opcode Fuzzy Hash: 0911ecfe7eac67f65cf052bf830e935bba44887b3fcadc1cc1477479af12f1ab
                                  • Instruction Fuzzy Hash: 0CE01A26A4822037A510336BBD0FD6F2D29DAC7B62B0101BFFA05661E29D98085196FB
                                  Function 0041B663 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041B6F8), ref: 0041B66D
                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041B6F8), ref: 0041B67A
                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041B6F8), ref: 0041B687
                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041B6F8), ref: 0041B69A
                                  Strings
                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041B68D
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                  • API String ID: 3024135584-2418719853
                                  • Opcode ID: b5101502732423ef893627347f2af24e4f93fc0e171d4abeb9243736e4473fa4
                                  • Instruction ID: ad478a08908ae1e8722594817e35ebd278399d2ab3723c686487d6c51551703d
                                  • Opcode Fuzzy Hash: b5101502732423ef893627347f2af24e4f93fc0e171d4abeb9243736e4473fa4
                                  • Instruction Fuzzy Hash: D0E04F62648708ABD3103FB6BC4EC6F7B7DE785623F101636FA1291293E974841086B5
                                  Function 0040AE1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNEL32(Function_00009880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                                  • UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                                  • TerminateThread.KERNEL32(Function_0000986A,00000000,?,pth_unenc), ref: 0040AE4D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread$HookUnhookWindows
                                  • String ID: @0G$pth_unenc
                                  • API String ID: 3123878439-155138683
                                  • Opcode ID: 115079c2282a6bf9576d9e0b7d13f6b7bc05c6b49fdad65596f4409ad05b5654
                                  • Instruction ID: e1e5eea1f7390eadd48dce0aa84519ec7b6f9c8f196e89bb690cf3ca84e6fe29
                                  • Opcode Fuzzy Hash: 115079c2282a6bf9576d9e0b7d13f6b7bc05c6b49fdad65596f4409ad05b5654
                                  • Instruction Fuzzy Hash: 81E0EC616553809FD7106F60BC98A62775AB606B47310807AF506A62A6C73C8E44A6AF
                                  Function 0043FC6A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d077a8b190852e3b7fe11e6cef96461035acd321b12386ca60cae5b871db1d14
                                  • Instruction ID: 060016eacbcb527956992f75cf2bc0db82b48ac299cd878c71906e1bf1d9a011
                                  • Opcode Fuzzy Hash: d077a8b190852e3b7fe11e6cef96461035acd321b12386ca60cae5b871db1d14
                                  • Instruction Fuzzy Hash: 9D71F432D002169BCF218F55C845ABFBB75EF49310F14613BE811672A2D7789D49CBA9
                                  Function 004435FC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  • _free.LIBCMT ref: 00443707
                                  • _free.LIBCMT ref: 0044371E
                                  • _free.LIBCMT ref: 0044373D
                                  • _free.LIBCMT ref: 00443758
                                  • _free.LIBCMT ref: 0044376F
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID:
                                  • API String ID: 3033488037-0
                                  • Opcode ID: b7604e1a15de5c4975e1a22ca13a47cbde8c9eaf56ddf4bc19a35e3347dcf454
                                  • Instruction ID: 33fd527e9c34fc99befeee23a18cff77bba5ae58738d28a8d8759c9d181ac574
                                  • Opcode Fuzzy Hash: b7604e1a15de5c4975e1a22ca13a47cbde8c9eaf56ddf4bc19a35e3347dcf454
                                  • Instruction Fuzzy Hash: 1F51F6B1A00705AFEB20DF2AC841A6AB7F4EF45B25F14416FE849D7351E739DA01CB88
                                  Function 00447BE5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D204), ref: 00447C4F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00470764,000000FF,00000000,0000003F,00000000,?,?), ref: 00447CC7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004707B8,000000FF,?,0000003F,00000000,?), ref: 00447CF4
                                  • _free.LIBCMT ref: 00447C3D
                                    • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                                    • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                                  • _free.LIBCMT ref: 00447E09
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: 192cb104f115433a19df37c8a32fadc6d02125d47b70fccf30c1571d909818d4
                                  • Instruction ID: b174790296e1c1cb64190fb610b95ef3deb4325f3671f118df16a2f4d1cf92b6
                                  • Opcode Fuzzy Hash: 192cb104f115433a19df37c8a32fadc6d02125d47b70fccf30c1571d909818d4
                                  • Instruction Fuzzy Hash: 97511871D04209EBEB14EF79DC819AA77B8EF40324F11026FE455E3291E7389D428B9C
                                  Function 0040EE40 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EE5E
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040EE82
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040EE91
                                  • CloseHandle.KERNEL32(00000000), ref: 0040F048
                                    • Part of subcall function 0041AB40: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040EB16,00000000,?,?,00473280), ref: 0041AB55
                                    • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F039
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 1735047541-0
                                  • Opcode ID: 10db047d6ec051ebfa1b677ef079235bb968fbf38ccdd5ee4dceddede61d3ccb
                                  • Instruction ID: fc5c85540f889f3a2ab1a6016a9079e2269e38591cc5ac43cbc88825ef87a1e7
                                  • Opcode Fuzzy Hash: 10db047d6ec051ebfa1b677ef079235bb968fbf38ccdd5ee4dceddede61d3ccb
                                  • Instruction Fuzzy Hash: CD4142311082415BC324F761DC91AEFB3E9AFD4344F50493EF48A921E2EF38A94AC65A
                                  Function 00442719 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: c116326db574ec4ac976eebbd44619f729e5691f91e73ba179bd56b8a01ad2b5
                                  • Instruction ID: 2285a7be470c23e98719e3e167ac4dd42b0d3d2551702f58938e7795a41d704d
                                  • Opcode Fuzzy Hash: c116326db574ec4ac976eebbd44619f729e5691f91e73ba179bd56b8a01ad2b5
                                  • Instruction Fuzzy Hash: E941F332E002009FEB10DF79C981A5EB3B5EF89714F5581AEE915EB381DBB5AD01CB84
                                  Function 0044F9AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042C60C,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C), ref: 0044F9F9
                                  • __alloca_probe_16.LIBCMT ref: 0044FA31
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042C60C,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C,?), ref: 0044FA82
                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C,?,00000002,00000000), ref: 0044FA94
                                  • __freea.LIBCMT ref: 0044FA9D
                                    • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                  • String ID:
                                  • API String ID: 313313983-0
                                  • Opcode ID: e30088a7f1d1453c4e6029d37d92c7a58ce3ccc3468233c635f768e2873a9a9e
                                  • Instruction ID: c39bf728e7cf4935227f6dd7d506cca849d0501c7d5e8428f05d5abeab6cc89e
                                  • Opcode Fuzzy Hash: e30088a7f1d1453c4e6029d37d92c7a58ce3ccc3468233c635f768e2873a9a9e
                                  • Instruction Fuzzy Hash: 2631E372A0020AABEF249F65DC41DAF7BA5EB40314F04057AFC08E7251E739DD59CB94
                                  Function 00411C1E Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004129E0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                                    • Part of subcall function 004129E0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                                    • Part of subcall function 004129E0: RegCloseKey.ADVAPI32(00000000), ref: 00412A20
                                  • Sleep.KERNEL32(00000BB8), ref: 00411CBD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQuerySleepValue
                                  • String ID: 2G$82G$82G$exepath
                                  • API String ID: 4119054056-3664068176
                                  • Opcode ID: 76dde27d81efae4c72e4ee2a763cba5385c23bf91bede17d9c4ced6e702fa6bf
                                  • Instruction ID: 1bc3c23f432ba4f57a41c102a15aec319e0c21ae64d144f38269a80ff3ae14c8
                                  • Opcode Fuzzy Hash: 76dde27d81efae4c72e4ee2a763cba5385c23bf91bede17d9c4ced6e702fa6bf
                                  • Instruction Fuzzy Hash: 5021F4A0B0030427D600B76A6C46ABF228E8B80308F00497FB946E72D3EF3C9D4641AE
                                  Function 0044DBDA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044DBE3
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044DC06
                                    • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B8F,?,?,00437117,?,?,00000000,?,?,0040D366,00433B8F,?,?,?,?), ref: 00444A6A
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044DC2C
                                  • _free.LIBCMT ref: 0044DC3F
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044DC4E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: 05963b722a187b08b23702ed25f32100ad8df03e6f93360e21280f476eebae31
                                  • Instruction ID: d30a67c417177e80d80b31b0a31e6726aa7580f18a7a9fd153e391297dd7151b
                                  • Opcode Fuzzy Hash: 05963b722a187b08b23702ed25f32100ad8df03e6f93360e21280f476eebae31
                                  • Instruction Fuzzy Hash: 38017172A057157F37211AA66D89C7F7A6DDAC2B65315017EF904D2341DEA88C02C1B9
                                  Function 00446B19 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0043A556,00000000,?,?,0043A5DA,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00446B1E
                                  • _free.LIBCMT ref: 00446B53
                                  • _free.LIBCMT ref: 00446B7A
                                  • SetLastError.KERNEL32(00000000,?,00409C8E), ref: 00446B87
                                  • SetLastError.KERNEL32(00000000,?,00409C8E), ref: 00446B90
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 2af989fa884a69d0fa37520c75958db6afc4f652e0641eba9099b80d7b86f832
                                  • Instruction ID: 0346a1b294bc514b0a994de80f7e6f12b46350d74b5091e52828a709d6f7ce0e
                                  • Opcode Fuzzy Hash: 2af989fa884a69d0fa37520c75958db6afc4f652e0641eba9099b80d7b86f832
                                  • Instruction Fuzzy Hash: B6012676205B506BB7112629BC45D6F2269CBD37B9722003BF409D32C2EE7CDC06416F
                                  Function 0044F23C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0044F254
                                    • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                                    • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                                  • _free.LIBCMT ref: 0044F266
                                  • _free.LIBCMT ref: 0044F278
                                  • _free.LIBCMT ref: 0044F28A
                                  • _free.LIBCMT ref: 0044F29C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 516e47d2e0f60d5fede89190a792db0aa6a45a74a38a5f68d9a0fd3effe540a6
                                  • Instruction ID: f954284d0b45cb36624272f64f50ef8c725a3c78d63bb55929d804f861096251
                                  • Opcode Fuzzy Hash: 516e47d2e0f60d5fede89190a792db0aa6a45a74a38a5f68d9a0fd3effe540a6
                                  • Instruction Fuzzy Hash: A3F09676504601EBEA30EB69F983C4B73D9BA05B54354487BF048D7641C7B9FC844AAC
                                  Function 00442968 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00442986
                                    • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                                    • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                                  • _free.LIBCMT ref: 00442998
                                  • _free.LIBCMT ref: 004429AB
                                  • _free.LIBCMT ref: 004429BC
                                  • _free.LIBCMT ref: 004429CD
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 93600525103f6331525761e29ceec305afa513f2dd5993403a2e8bdf270ab536
                                  • Instruction ID: ac8127230bc54366d86f294ef586a91d245084804c15bedb181f71e342f475e2
                                  • Opcode Fuzzy Hash: 93600525103f6331525761e29ceec305afa513f2dd5993403a2e8bdf270ab536
                                  • Instruction Fuzzy Hash: 30F0D0B9902721DBDB51AF19FC428093760A724B24781913BF45C56B71D77909858FCE
                                  Function 0044CF69 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strpbrk.LIBCMT ref: 0044CFB8
                                  • _free.LIBCMT ref: 0044D0D5
                                    • Part of subcall function 0043A5E8: IsProcessorFeaturePresent.KERNEL32(00000017,0043A5BA,00409C8E,?,?,00000000,00409C8E,00000000,?,?,0043A5DA,00000000,00000000,00000000,00000000,00000000), ref: 0043A5EA
                                    • Part of subcall function 0043A5E8: GetCurrentProcess.KERNEL32(C0000417,?,00409C8E), ref: 0043A60C
                                    • Part of subcall function 0043A5E8: TerminateProcess.KERNEL32(00000000), ref: 0043A613
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                  • String ID: *?$.
                                  • API String ID: 2812119850-3972193922
                                  • Opcode ID: 4f99e93415464d5738f8b0ec0c1dd26b56c598080a7d5787abd8bcea82267666
                                  • Instruction ID: 0665d5b14a1e4b9cb67c1a99571701ed5e9b0677a739cf7a3229819190da0774
                                  • Opcode Fuzzy Hash: 4f99e93415464d5738f8b0ec0c1dd26b56c598080a7d5787abd8bcea82267666
                                  • Instruction Fuzzy Hash: 88518271E00109AFEF14DFA9C881AAEF7B5EF48318F24416FE854E7341D6799E068B54
                                  Function 004165EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00416603
                                  • GetWindowTextW.USER32(?,?,0000012C), ref: 0041662F
                                  • IsWindowVisible.USER32(?), ref: 00416636
                                    • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$Process$OpenTextThreadVisible
                                  • String ID: h5G
                                  • API String ID: 478698014-4077671695
                                  • Opcode ID: 423aa208f9ed73c381c9eba56ef77f7a3c959dda44abcfc3de67e0413d5ca339
                                  • Instruction ID: 99c6d8f7261b3cee98e9cdba014bcc0a4643868b1acb47591d6874b1b0f6d138
                                  • Opcode Fuzzy Hash: 423aa208f9ed73c381c9eba56ef77f7a3c959dda44abcfc3de67e0413d5ca339
                                  • Instruction Fuzzy Hash: E241E4311082419BC324FB65D891DDFF3E9AFD4354F50893EF48A921E1EF349A4ACA5A
                                  Function 00441D05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00441D45
                                  • _free.LIBCMT ref: 00441E10
                                  • _free.LIBCMT ref: 00441E1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  • API String ID: 2506810119-1068371695
                                  • Opcode ID: fb92f241e2e05432639b7b32ac1502f6d059981408861d6403be201cf46156aa
                                  • Instruction ID: c557cc44e93a4f3526c8424d226de774fcc48449be6b5aaf792980d9704e92f2
                                  • Opcode Fuzzy Hash: fb92f241e2e05432639b7b32ac1502f6d059981408861d6403be201cf46156aa
                                  • Instruction Fuzzy Hash: 663173B5E01258EFEB21DB99D88199FBBBCEB44314F10406BF80897221D6749A818799
                                  Function 0040BB66 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040BA3D: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,0040BB7D), ref: 0040BA70
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040BB97
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040BC02
                                  Strings
                                  • User Data\Default\Network\Cookies, xrefs: 0040BB7D
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040BBAC
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: 88cae7244ce1b5af3410cf387d2dc5f824ff2f39d06d0068a71ddcfd0b4b0651
                                  • Instruction ID: d3bd7a9e1c96093492625e3e5ee86b1017f979b14bb93b73e7de0ea03ad3c358
                                  • Opcode Fuzzy Hash: 88cae7244ce1b5af3410cf387d2dc5f824ff2f39d06d0068a71ddcfd0b4b0651
                                  • Instruction Fuzzy Hash: F521E2719101195ACB04F7A6DC96CEEB7B8EE50718B44003FF901B21E2EF789946C6DC
                                  Function 0040A461 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                                    • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000986A,?,00000000,00000000), ref: 0040A4E1
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000988C,?,00000000,00000000), ref: 0040A4ED
                                  • CreateThread.KERNEL32(00000000,00000000,00409898,?,00000000,00000000), ref: 0040A4F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTime$wsprintf
                                  • String ID: Online Keylogger Started
                                  • API String ID: 112202259-1258561607
                                  • Opcode ID: c29784c30d8bb769d8f56ecf3f3c79122ed017be44a58d7d44e3ea9d922c463c
                                  • Instruction ID: 2918f94b29e643706cc8194107c31a37d0557916cfe4d3346365f420470abdd0
                                  • Opcode Fuzzy Hash: c29784c30d8bb769d8f56ecf3f3c79122ed017be44a58d7d44e3ea9d922c463c
                                  • Instruction Fuzzy Hash: 4501A1A5A003083EE62076769C8ADBF7A6CCA92398F40057FF545222C3D9BD1D5582FA
                                  Function 004060D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,0040609F,?), ref: 004060F6
                                  • GetProcAddress.KERNEL32(00000000), ref: 004060FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: CryptUnprotectData$crypt32
                                  • API String ID: 2574300362-2380590389
                                  • Opcode ID: 5deaecffb08fff2b823b0b74764ae02e5ae7b43c49087b2fd004d2f9456ea8b6
                                  • Instruction ID: beb262a90158fb4cf50087408c2c088a9110264107d79c3b72559a6e192aff88
                                  • Opcode Fuzzy Hash: 5deaecffb08fff2b823b0b74764ae02e5ae7b43c49087b2fd004d2f9456ea8b6
                                  • Instruction Fuzzy Hash: 75012831A04315ABCF18CFACDC409ABBBB8EF54300F0002BEE956E7341D675D9008798
                                  Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                                  • CloseHandle.KERNEL32(?), ref: 004051AA
                                  • SetEvent.KERNEL32(?), ref: 004051B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandleObjectSingleWait
                                  • String ID: Connection Timeout
                                  • API String ID: 2055531096-499159329
                                  • Opcode ID: 0dfeed1a63c63b6e54efb6bdbe477c07f451e62992c071e037f285ec22bb7077
                                  • Instruction ID: 87dc7bd1a7f2c12f2d5d2db554b8500d969d653d79ad8885273b8c0985c03cd0
                                  • Opcode Fuzzy Hash: 0dfeed1a63c63b6e54efb6bdbe477c07f451e62992c071e037f285ec22bb7077
                                  • Instruction Fuzzy Hash: 1401F531A44B40AFE7226B36DC4551B7FD0FF01301700097FF18356AA2DA78A440CF5A
                                  Function 0040DCC9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040DD37
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8Throw
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2005118841-1866435925
                                  • Opcode ID: cd6b81b187af9327d90b81c58f4d9aaee129bce6aecb0e224ae0eb856d537346
                                  • Instruction ID: c83b488e6c0b567c715bed89e41106fb5d46d583803a0575b5f187d309fe0aa3
                                  • Opcode Fuzzy Hash: cd6b81b187af9327d90b81c58f4d9aaee129bce6aecb0e224ae0eb856d537346
                                  • Instruction Fuzzy Hash: 5401D6B1E487087AE714EAD5CC13FBA77685F10705F50403FB906761C2EABC6549CA2E
                                  Function 00415181 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: /C $cmd.exe$open
                                  • API String ID: 587946157-3896048727
                                  • Opcode ID: 19f2e434dac0fe19586e410ac2313a52ffe8a9aeb0e0d052a9dc47cc9aa358fe
                                  • Instruction ID: b910b50d10bf9c10a53822f7bfccbc49879064c70acfec78918e038c0e9cbf8d
                                  • Opcode Fuzzy Hash: 19f2e434dac0fe19586e410ac2313a52ffe8a9aeb0e0d052a9dc47cc9aa358fe
                                  • Instruction Fuzzy Hash: ADF012712083045AC314FBB2DC959AFB3E8AB90319F500C3FB546611E2EF389959C65A
                                  Function 0040D4AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040D4B5
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040D4F4
                                    • Part of subcall function 00433F13: _Yarn.LIBCPMT ref: 00433F32
                                    • Part of subcall function 00433F13: _Yarn.LIBCPMT ref: 00433F56
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D51A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                  • String ID: bad locale name
                                  • API String ID: 3628047217-1405518554
                                  • Opcode ID: 5e796192593fad175f823b29c85da8fc82c065668e0f9f464e68a68c5f212e65
                                  • Instruction ID: 7d5d85bd939eae65a08207342b5a69e68fd95b80f34b046828c98c3172fb135a
                                  • Opcode Fuzzy Hash: 5e796192593fad175f823b29c85da8fc82c065668e0f9f464e68a68c5f212e65
                                  • Instruction Fuzzy Hash: 72F0A4314446049AC334FF61D853A9FB3689F14758F90453FF686228D7EF38AA0CC699
                                  Function 00412903 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,00473298), ref: 00412925
                                  • RegQueryValueExW.ADVAPI32(?,0@,00000000,00000000,?,00000400), ref: 00412944
                                  • RegCloseKey.ADVAPI32(?), ref: 0041294D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: 0@
                                  • API String ID: 3677997916-11155133
                                  • Opcode ID: d8b927e9e7091c5b2a44ed99caa3eb5f31c6b116db3d9a3002ee90177f1c466b
                                  • Instruction ID: c7fd1c892b01a83c80440586cf5eccaa6983c25e434fa7726a62adcc2e55f33b
                                  • Opcode Fuzzy Hash: d8b927e9e7091c5b2a44ed99caa3eb5f31c6b116db3d9a3002ee90177f1c466b
                                  • Instruction Fuzzy Hash: CCF0C275A0021CFBDB109B90EC45FDE7BBCEB04B11F1040B2BA04F5291DAB4AB949BD8
                                  Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                                  • GetProcAddress.KERNEL32(00000000), ref: 00401403
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll
                                  • API String ID: 1646373207-2714051624
                                  • Opcode ID: d106107450db0d81a8cd297f1c1958bbeafca831e7cd1c5948616fa477c32a51
                                  • Instruction ID: 339f5e680ac259f41fdaf7538df7a013b816c33a7b3ecda91f69a778ee4b915d
                                  • Opcode Fuzzy Hash: d106107450db0d81a8cd297f1c1958bbeafca831e7cd1c5948616fa477c32a51
                                  • Instruction Fuzzy Hash: 89B092B0585700ABC6007FB0BC0D9493A24A604703B1001B2B001A2672EB7991909E3F
                                  Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: 1ce684c1e9215f277348ea1b345f6655546256602e36a9085d5b35a2dabba592
                                  • Instruction ID: a235115c4c7ff8ecad93221cd3e986331959d115ecffc12b26486691d28a12a6
                                  • Opcode Fuzzy Hash: 1ce684c1e9215f277348ea1b345f6655546256602e36a9085d5b35a2dabba592
                                  • Instruction Fuzzy Hash: 9BB092F05657009BCB402FA0BC0E9053B24A604713B208AB2B009A3162EB7D90909F2F
                                  Function 00448884 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: 500b6b3c067367f1283b5ca09d132384efb29a74f12a76b3a308fd1f824a21bf
                                  • Instruction ID: 2e0d047c9ab5e1f9e195ebe2db35710396bb8e1c860b674ed94f75fdd8067eee
                                  • Opcode Fuzzy Hash: 500b6b3c067367f1283b5ca09d132384efb29a74f12a76b3a308fd1f824a21bf
                                  • Instruction Fuzzy Hash: 26A138B19006869FFB21CF18C8917BEBBA1EF15314F18416FE885AB381CA7C9946C759
                                  Function 004410D1 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a29e3f5de5cebec34a78c42cfb7cc875d8341f1e05d24d12d06a310733f1c9eb
                                  • Instruction ID: 551359a9c080faf0a086328dfaf192d0d3c69e8e99468298c70d0e4e8f2cce1c
                                  • Opcode Fuzzy Hash: a29e3f5de5cebec34a78c42cfb7cc875d8341f1e05d24d12d06a310733f1c9eb
                                  • Instruction Fuzzy Hash: 47413A71A00704EFE7249F79CC42BAA7BA9EB8C714F10462FF101DB291D779A9818784
                                  Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00472F38), ref: 00404D93
                                  • CreateThread.KERNEL32(00000000,00000000,?,00472EE0,00000000,00000000), ref: 00404DA7
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                                  • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3360349984-0
                                  • Opcode ID: 41a628a5a2eb1fefe8272d960e32c25dbcb4adb811e292f6477f65b95ce36929
                                  • Instruction ID: dba95858f974454461b1e2e40e9edd510e178e98119d07c53f81cbb5064a2bb1
                                  • Opcode Fuzzy Hash: 41a628a5a2eb1fefe8272d960e32c25dbcb4adb811e292f6477f65b95ce36929
                                  • Instruction Fuzzy Hash: 524194712083016BC711FB61DD55D6FB7EDAFD4314F400A3EB982A22E2DB3899098666
                                  Function 00409A7A Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041AECA: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041AEDA
                                    • Part of subcall function 0041AECA: GetWindowTextLengthW.USER32(00000000), ref: 0041AEE3
                                    • Part of subcall function 0041AECA: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041AF0D
                                  • Sleep.KERNEL32(000001F4), ref: 00409AD5
                                  • Sleep.KERNEL32(00000064), ref: 00409B70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$ForegroundLength
                                  • String ID: [ $ ]
                                  • API String ID: 3309952895-93608704
                                  • Opcode ID: cb05ee9626f788f50311e7f1808662ecd7e76ea6020e361dd52d9492f9bb3d90
                                  • Instruction ID: c75d603df524a244733055fbd34c65f055766319f874fab2ee06841349c314ac
                                  • Opcode Fuzzy Hash: cb05ee9626f788f50311e7f1808662ecd7e76ea6020e361dd52d9492f9bb3d90
                                  • Instruction Fuzzy Hash: 9821AE3160420057C608BB76DC179AE76A99F91308F40057FF952771D3EE7DAA09869F
                                  Function 00442303 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4388830d366f02e0d0dea3569a7d37812047d6b1fee5cbedd9e993ba2e67f05b
                                  • Instruction ID: 928698612f51615fe1cf777c5292d1b4e42623037d2c96bc68a693b0eec0e686
                                  • Opcode Fuzzy Hash: 4388830d366f02e0d0dea3569a7d37812047d6b1fee5cbedd9e993ba2e67f05b
                                  • Instruction Fuzzy Hash: 3F01A7B26096167EFA201E797DC1F6B221DDF917B9B70033BF921612D5DBAC8C014168
                                  Function 00442382 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aaa693d2fffba037f22f2958b6f997d505db036d08c455309056a26f69548708
                                  • Instruction ID: ffef20b579aa455cdcb3ec38d6af2d4eff98cb77a0cb65f0443bbc9c4ef6001c
                                  • Opcode Fuzzy Hash: aaa693d2fffba037f22f2958b6f997d505db036d08c455309056a26f69548708
                                  • Instruction Fuzzy Hash: 5101D6B22096127FF6211E797CC1D2B232DEF513BA365033BF921512D5DAACCC444168
                                  Function 00446DE6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue), ref: 00446E18
                                  • GetLastError.KERNEL32(?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue,0045D130,0045D138,00000000,00000364,?,00446B67), ref: 00446E24
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue,0045D130,0045D138,00000000), ref: 00446E32
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: a5304e2d2fd2594c12811dfafb94f311b8e24b7740d385cabe09339be51067e1
                                  • Instruction ID: 7cfac10879522bcf09d0363c87617103b1842d1ca64a55dff1d48b8732c2297d
                                  • Opcode Fuzzy Hash: a5304e2d2fd2594c12811dfafb94f311b8e24b7740d385cabe09339be51067e1
                                  • Instruction Fuzzy Hash: 7901F73A2063229BD7214B79EC44A573BD9AF06F62B320231F91AD7241D724D801C6ED
                                  Function 0041ADFE Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041AE2B
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041AE50
                                  • CloseHandle.KERNEL32(00000000), ref: 0041AE5E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: 442c9d8ecbfc2981eb1d44de6e8e3768176206f0722ce75e894edeb3ed96a232
                                  • Instruction ID: 3f0c34db4874b28da9e92ecf7e139d0848c3339cd4cea530d57336cc45ca2017
                                  • Opcode Fuzzy Hash: 442c9d8ecbfc2981eb1d44de6e8e3768176206f0722ce75e894edeb3ed96a232
                                  • Instruction Fuzzy Hash: 1BF0C2B52462087FE6111B21BC84FBF379CDB867A9F10067EFD02A22C1CA658D054536
                                  Function 00438160 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00438177
                                    • Part of subcall function 004387AF: ___AdjustPointer.LIBCMT ref: 004387F9
                                  • _UnwindNestedFrames.LIBCMT ref: 0043818E
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 004381A0
                                  • CallCatchBlock.LIBVCRUNTIME ref: 004381C4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
                                  • Instruction ID: b80c8dfee50a01e3efcc98067a7db4f6d443bb63a6d24abc5b8fd2fcc045c81f
                                  • Opcode Fuzzy Hash: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
                                  • Instruction Fuzzy Hash: F1011732000209BBCF125F56CC01EEB7BBAFF4C714F14511AF95866220D73AE8629BA5
                                  Function 00417F42 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000004C), ref: 00417F4F
                                  • GetSystemMetrics.USER32(0000004D), ref: 00417F55
                                  • GetSystemMetrics.USER32(0000004E), ref: 00417F5B
                                  • GetSystemMetrics.USER32(0000004F), ref: 00417F61
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem
                                  • String ID:
                                  • API String ID: 4116985748-0
                                  • Opcode ID: 52ae23f17ebd3a8b63732ffffa837f2ae29638f7e606c1416d1229424adc30c0
                                  • Instruction ID: db9294b6453bfed66dbe03807c9cf0078fbbbbfeeb63ddf2ed7e0e7c3359cc27
                                  • Opcode Fuzzy Hash: 52ae23f17ebd3a8b63732ffffa837f2ae29638f7e606c1416d1229424adc30c0
                                  • Instruction Fuzzy Hash: 85F0AFB1B483165FD700EFB69C45A6B7AE59BD42A4F10043FF608C7281EEACDC458B84
                                  Function 00437801 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00437801
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00437806
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043780B
                                    • Part of subcall function 00438D37: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00438D48
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00437820
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
                                  • Instruction ID: 44b38c586fa46ca64db38af4dc09b646a72d0231a99fa094af013a7d49b3c72a
                                  • Opcode Fuzzy Hash: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
                                  • Instruction Fuzzy Hash: 5DC00298409781141D383A7311461AE93002C6E3CDF8078DFFAE0175435D0E140B957E
                                  Function 0044152D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                  Download Yara Rule
                                  APIs
                                  • __startOneArgErrorHandling.LIBCMT ref: 004415BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHandling__start
                                  • String ID: pow
                                  • API String ID: 3213639722-2276729525
                                  • Opcode ID: ad63ff09f6cf6b628e32c74312707c4078ff81d5a8f2d6bafb9ca103f79419f4
                                  • Instruction ID: 9bdf7c23e7d16313cb1f45f597b7cc27bb5148f7337d60067ed22a22280059c4
                                  • Opcode Fuzzy Hash: ad63ff09f6cf6b628e32c74312707c4078ff81d5a8f2d6bafb9ca103f79419f4
                                  • Instruction Fuzzy Hash: C4514C61E06201A7F7517714C9813BB2B94DB80741F28896BF0D6823BAEB3DCCD59E4E
                                  Function 00420387 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: DJG$DJG
                                  • API String ID: 0-3553971598
                                  • Opcode ID: 802e73362db16e148a987297f9c180115640e245957b4db1781f001cc27eac43
                                  • Instruction ID: f2201e53aae1a578f399186880d4f81f94f4690d310475270f371cf99ab1fffa
                                  • Opcode Fuzzy Hash: 802e73362db16e148a987297f9c180115640e245957b4db1781f001cc27eac43
                                  • Instruction Fuzzy Hash: 8861F0F16046569BC704DF28D8017A6F7E4FF84304F04052EED9C8B346E778AA64DBAA
                                  Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                                    • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,6BEF8300,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                                    • Part of subcall function 00417456: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00463E44), ref: 0041746C
                                    • Part of subcall function 00417456: CloseHandle.KERNEL32(D>F,?,?,004040D5,00463E44), ref: 00417475
                                    • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                                  • Sleep.KERNEL32(000000FA,00463E44), ref: 00404118
                                  Strings
                                  • /sort "Visit Time" /stext ", xrefs: 00404092
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                  • String ID: /sort "Visit Time" /stext "
                                  • API String ID: 368326130-1573945896
                                  • Opcode ID: 312c00053b40da79b70733780a98c5acf21a122afe3362614534b630630b788c
                                  • Instruction ID: 0b16387c6f9edcb84504e01d0cc383686463f04b1c5a299ba0a956b40ef645a0
                                  • Opcode Fuzzy Hash: 312c00053b40da79b70733780a98c5acf21a122afe3362614534b630630b788c
                                  • Instruction Fuzzy Hash: B7318431A0021957CB14FBA6DC969EE7779AF90308F40017FF506B71D2EF38598ACA99
                                  Function 004503B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450612,?,00000050,?,?,?,?,?), ref: 00450492
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ACP$OCP
                                  • API String ID: 0-711371036
                                  • Opcode ID: f1c7551b471a892f553800437845e87fa4d211da0bcbbc8f051b82ee5a92802c
                                  • Instruction ID: b93994b24156d93d71cef3ddff737944661d95d4cf4e28bf2754044b1fc000f2
                                  • Opcode Fuzzy Hash: f1c7551b471a892f553800437845e87fa4d211da0bcbbc8f051b82ee5a92802c
                                  • Instruction Fuzzy Hash: 0521066AA00100A6DB34CA54C901B9B7356DF52B57F56842AEF0AD7303F73ADD4AC358
                                  Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,004734E8,?,00000000,?,?,?,?,?,?,00415007,?,00000001,0000004C,00000000), ref: 00405010
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  • GetLocalTime.KERNEL32(?,004734E8,?,00000000,?,?,?,?,?,?,00415007,?,00000001,0000004C,00000000), ref: 00405067
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 481472006-1507639952
                                  • Opcode ID: c21a9a9a2d68d956fc97e40fb7ac92ff9f4663da52d61a57436286579010d152
                                  • Instruction ID: 9a4cfd33936eaa6b36ea74c7cc729b7cf4cbb54b4ad27954b172034734b4d9a3
                                  • Opcode Fuzzy Hash: c21a9a9a2d68d956fc97e40fb7ac92ff9f4663da52d61a57436286579010d152
                                  • Instruction Fuzzy Hash: AC2129719043806BD714FB25DC4575F7B54AB45309F04057EF485532A2DA3D5688CBEB
                                  Function 0041A04A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: | $%02i:%02i:%02i:%03i
                                  • API String ID: 481472006-2430845779
                                  • Opcode ID: 73f1784e6b0f8c6c2b56327e02b954a3cae6b777a92ff4e659f5f7ca666b0f94
                                  • Instruction ID: 305aa241e5e1249f2c56a36f0bedab380cdf1516fdeeb0388db8af3b2f80b87a
                                  • Opcode Fuzzy Hash: 73f1784e6b0f8c6c2b56327e02b954a3cae6b777a92ff4e659f5f7ca666b0f94
                                  • Instruction Fuzzy Hash: DD11637250820156C704FBA5D841CAFB3E8AF84348F504A3FF485A21E1EF3CD945CB5A
                                  Function 004016EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInOpen.WINMM(00470AC8,000000FF,00470AA8,Function_0000184A,00000000,00030008,?), ref: 004017A1
                                    • Part of subcall function 004017CC: waveInPrepareHeader.WINMM(?,00000020,?,?,00474A90,00472EC8,?,00000000,004019F5), ref: 00401829
                                    • Part of subcall function 004017CC: waveInAddBuffer.WINMM(?,00000020,?,00000000,004019F5), ref: 0040183F
                                  • waveInStart.WINMM ref: 004017BA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderOpenPrepareStart
                                  • String ID: t-G
                                  • API String ID: 4183526013-1680578370
                                  • Opcode ID: 3493a79b9d81004262f7a08222b2a1c773a96ba502fad3dccb73bbc541bd7a8f
                                  • Instruction ID: 95a711b6e76d91f395065626d5ac92766c974447fb9b8fe42a04c668eb71b703
                                  • Opcode Fuzzy Hash: 3493a79b9d81004262f7a08222b2a1c773a96ba502fad3dccb73bbc541bd7a8f
                                  • Instruction Fuzzy Hash: 1E110071A15310DEC359DB35AC40956B6E8EFAA365B10823BE04AE72F0E7384480C75C
                                  Function 00419872 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415F1F,00000000), ref: 00419897
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: alarm.wav$4G
                                  • API String ID: 1174141254-2977537865
                                  • Opcode ID: 0405eb6173bf9fb18ee31fbe713bf33f5018e8174fcb87b766c4b144a6d47126
                                  • Instruction ID: 34e28ac8ce078d76f0f9f0665c2abcaeee574b9cd4657200da68d7dd76b5aff6
                                  • Opcode Fuzzy Hash: 0405eb6173bf9fb18ee31fbe713bf33f5018e8174fcb87b766c4b144a6d47126
                                  • Instruction Fuzzy Hash: 2001C020B1420056CA14FA76D8666EE26859B81358F00417FF819662E2EF7D4D85D2DF
                                  Function 0040A5C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                                    • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                                    • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                                  • CloseHandle.KERNEL32(?), ref: 0040A627
                                  • UnhookWindowsHookEx.USER32 ref: 0040A63A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                  • String ID: Online Keylogger Stopped
                                  • API String ID: 1623830855-1496645233
                                  • Opcode ID: d3c305d189d023337c19d45115f55708c42728a18cfdc41ca47be57693e1c8a4
                                  • Instruction ID: 152bd68872477db56328b5f984a61734b927b4b139483ca97bc76b34e3d0b4bf
                                  • Opcode Fuzzy Hash: d3c305d189d023337c19d45115f55708c42728a18cfdc41ca47be57693e1c8a4
                                  • Instruction Fuzzy Hash: 7301F531A043005BD7217B65D80BBBE7B755B41305F44046FE581222D2EBBA19A6D7DF
                                  Function 004017CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInPrepareHeader.WINMM(?,00000020,?,?,00474A90,00472EC8,?,00000000,004019F5), ref: 00401829
                                  • waveInAddBuffer.WINMM(?,00000020,?,00000000,004019F5), ref: 0040183F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderPrepare
                                  • String ID: 4-G
                                  • API String ID: 2315374483-347150978
                                  • Opcode ID: b9941bb6e18d7de13c445b8f099fd1389e43979035ab8c29808fe9c26c2bef2e
                                  • Instruction ID: 6b7ed70fd603f0a3b73b27032148b84c73c10b4b752733d916ddca8c7a8238c5
                                  • Opcode Fuzzy Hash: b9941bb6e18d7de13c445b8f099fd1389e43979035ab8c29808fe9c26c2bef2e
                                  • Instruction Fuzzy Hash: B201AD71302300AFC7509F35EC4492ABBA9FB89305B01413AF809C37A2EB7998508B98
                                  Function 00447366 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsValidLocale.KERNEL32(00000000,3D,00000000,00000001,?,?,004433EB,?,?,00442DCB,?,00000004), ref: 004473B2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocaleValid
                                  • String ID: IsValidLocaleName$3D
                                  • API String ID: 1901932003-2077415542
                                  • Opcode ID: dbdf72e8e2661f57c780aa44d4f8bbb8f5dee09d7a0af35499866a64bb157ce1
                                  • Instruction ID: 1aafa65fd00d6e25da83e5a77131e27d47e67d355686313c1ce54cf128189aa6
                                  • Opcode Fuzzy Hash: dbdf72e8e2661f57c780aa44d4f8bbb8f5dee09d7a0af35499866a64bb157ce1
                                  • Instruction Fuzzy Hash: 25F0B430A84608B7E7106B219C06FAD7B54CF05712F10416AFD056A282DA795E0295ED
                                  Function 0040BA3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,0040BB7D), ref: 0040BA70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                  • API String ID: 1174141254-4188645398
                                  • Opcode ID: ca829069d2ce8ea43e751321776d665e202aa916b578ec7047a83a5cbf5cb83f
                                  • Instruction ID: fa1b3df0c65eba921df0d08a7c52afbe64c16d4fabbb7ff89d5955b2db38ff16
                                  • Opcode Fuzzy Hash: ca829069d2ce8ea43e751321776d665e202aa916b578ec7047a83a5cbf5cb83f
                                  • Instruction Fuzzy Hash: D0F08230A0131AA6CA14FBE6DC478FF7B6CCD10754B10007FBA01B22D2EE79994586DE
                                  Function 0040BAA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040BC46), ref: 0040BAD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                  • API String ID: 1174141254-2800177040
                                  • Opcode ID: ff1e04917ef7ab40df2d8b2c41cf8774f294d3a750308a055e092a3a7fb8a056
                                  • Instruction ID: e51b4f52c028d78bdf66c263ab0f3750d3580a43710b0836be6e4890ee81e12e
                                  • Opcode Fuzzy Hash: ff1e04917ef7ab40df2d8b2c41cf8774f294d3a750308a055e092a3a7fb8a056
                                  • Instruction Fuzzy Hash: 5CF08231A0121A96CA14F7E6DC478FF7B6CCD10718B00007FBA01B22D2EE799941C6DE
                                  Function 0040BB03 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040BCA9), ref: 0040BB36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: AppData$\Opera Software\Opera Stable\
                                  • API String ID: 1174141254-1629609700
                                  • Opcode ID: b2337b37847ca17ffea5e4214bd8702633ac8d1ccab1a3e4bbdf02f99d66b62b
                                  • Instruction ID: e6a7174926e5e3b4842ccf786cfde627425bba0d2052536d9f30216573a1e43c
                                  • Opcode Fuzzy Hash: b2337b37847ca17ffea5e4214bd8702633ac8d1ccab1a3e4bbdf02f99d66b62b
                                  • Instruction Fuzzy Hash: 78F05E30A0021996CA14F7A2DC479FFBB6C9910718B10047FBA01B31D2EE799981C6EE
                                  Function 0040ABBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000011), ref: 0040ABC1
                                    • Part of subcall function 004099E3: GetForegroundWindow.USER32(00473040,?,00473040), ref: 00409A17
                                    • Part of subcall function 004099E3: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409A22
                                    • Part of subcall function 004099E3: GetKeyboardLayout.USER32(00000000), ref: 00409A29
                                    • Part of subcall function 004099E3: GetKeyState.USER32(00000010), ref: 00409A33
                                    • Part of subcall function 004099E3: GetKeyboardState.USER32(?), ref: 00409A40
                                    • Part of subcall function 004099E3: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409A5C
                                    • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                                  • String ID: [AltL]$[AltR]
                                  • API String ID: 3195419117-2658077756
                                  • Opcode ID: 19d92e01481f5c260c0ba938d66d2a31bcfacfe8d4367cf3a65dc4e59eba1607
                                  • Instruction ID: 96eefd13142f1eb0f51443313c58276a15165e9a298fe6b1d87f9ff32337ecc9
                                  • Opcode Fuzzy Hash: 19d92e01481f5c260c0ba938d66d2a31bcfacfe8d4367cf3a65dc4e59eba1607
                                  • Instruction Fuzzy Hash: 9AE0652170431017C918323E691BA7E392197C2774B40016FF9467B6D7D8BE9D5193CF
                                  Function 0040AC16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000012), ref: 0040AC1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State
                                  • String ID: [CtrlL]$[CtrlR]
                                  • API String ID: 1649606143-2446555240
                                  • Opcode ID: 33a84345932de5db8031a093222f25a6023d4cfa9ddbd418392b8eb36d481b13
                                  • Instruction ID: 5068e35745fff1d0ae311e30ec864f18ca5ee1bac8daf42aff9a91bbfa6ecc8a
                                  • Opcode Fuzzy Hash: 33a84345932de5db8031a093222f25a6023d4cfa9ddbd418392b8eb36d481b13
                                  • Instruction Fuzzy Hash: E5E08621B0831017D924353F5A1E67A3910A7917A0F41027FF9426B6C6E87E8D2062CF
                                  Function 0040DCA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                                  • __Init_thread_footer.LIBCMT ref: 0041046C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: hJG$lJG
                                  • API String ID: 1881088180-3986032958
                                  • Opcode ID: 3098f39f6e044b7fe1c83a17937fea0626eb8e384405a203024fdf0746d1f617
                                  • Instruction ID: 959a6744f9fea07c9b6c9e8e76648da5020df6129c556cb91e4ae22f1d5d63cc
                                  • Opcode Fuzzy Hash: 3098f39f6e044b7fe1c83a17937fea0626eb8e384405a203024fdf0746d1f617
                                  • Instruction Fuzzy Hash: 8DE0D8310415108AC110A71895829E933589B88325B61912FF904976918BAC19C1C75F
                                  Function 00412D0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C64D,00000000,00473220,00473238,?,pth_unenc), ref: 00412D19
                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412D2D
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412D17
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteOpenValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 2654517830-1051519024
                                  • Opcode ID: 73d02ef1f0cc626344373e057ae6400ba39a732c9e2669238d64bd595eb6c070
                                  • Instruction ID: 31757409137fc2aa28e21d2d38410cee3dd97c0c89aa87a52c5bf8b2ac0ec4d3
                                  • Opcode Fuzzy Hash: 73d02ef1f0cc626344373e057ae6400ba39a732c9e2669238d64bd595eb6c070
                                  • Instruction Fuzzy Hash: D6E0C27124820CBBEF104F71EE06FFB376CEB01F01F1002A5B90592191C66ADA149664
                                  Function 004167F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumWindows.USER32(Function_000165EC,00000000), ref: 00416809
                                    • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumWindowssend
                                  • String ID: h5G$4G
                                  • API String ID: 2535772952-2693735065
                                  • Opcode ID: 24f76193bb2d8881483fa60ce3f480861a414d44bb80db56b4ec649bb459a7bd
                                  • Instruction ID: 9fe717f4edf3aaa12838891801d990c24a3a4d72d66b7b51c9a4e32ebb080fb0
                                  • Opcode Fuzzy Hash: 24f76193bb2d8881483fa60ce3f480861a414d44bb80db56b4ec649bb459a7bd
                                  • Instruction Fuzzy Hash: 3FE080207C9350B6DB31B7697D0679D39064752B54F14007EB5043A3D2C6DD5581C7DE
                                  Function 00411D93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ObjectProcessSingleTerminateWait
                                  • String ID: pth_unenc
                                  • API String ID: 1872346434-4028850238
                                  • Opcode ID: ad6d013055d9b0547f0538c52e8fbec790f1cdf5f70ab7e2b39207b65bdb286b
                                  • Instruction ID: e19746668ad3e5a2aa3259df84083bc395050bd976cc2345e4ea1c63972d9be6
                                  • Opcode Fuzzy Hash: ad6d013055d9b0547f0538c52e8fbec790f1cdf5f70ab7e2b39207b65bdb286b
                                  • Instruction Fuzzy Hash: 58D0C93414A311EBD7310BA0BC08B043B68A715362F140271F42C512F1C7659494AA59
                                  Function 0043F561 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043F5F7
                                  • GetLastError.KERNEL32 ref: 0043F605
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043F660
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: 4fb4c8b8568d1047ed6eec146a53b7fea1d3df898e1d451945ab7130e1f9dab9
                                  • Instruction ID: 66686387026925be6180075210ad86107624aebec9d48f20dae67bb7d6d05db2
                                  • Opcode Fuzzy Hash: 4fb4c8b8568d1047ed6eec146a53b7fea1d3df898e1d451945ab7130e1f9dab9
                                  • Instruction Fuzzy Hash: 7541F831E04206AFDB218F65C846ABB7BA4DF09320F14517FF895972B1DB388D06CB59
                                  Function 004110A2 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411433), ref: 004110CF
                                  • IsBadReadPtr.KERNEL32(?,00000014,00411433), ref: 0041119B
                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004111BD
                                  • SetLastError.KERNEL32(0000007E,00411433), ref: 004111D4
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3838497258.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastRead
                                  • String ID:
                                  • API String ID: 4100373531-0
                                  • Opcode ID: 9794c43bf96480927521ed5b23b738f4c51868486ab28171da95fa3270170194
                                  • Instruction ID: 8f6c103362ea378475082746bf01fa46c2f289026e2d243d47b01123f6745c32
                                  • Opcode Fuzzy Hash: 9794c43bf96480927521ed5b23b738f4c51868486ab28171da95fa3270170194
                                  • Instruction Fuzzy Hash: 36418E71604305AFEB248F19DC84BA7B7E5FF48714F00482EEB46876A1EB34E845CB19